Thursday, August 22, 2013

Unusual Network Traffic




I was using Process Hacker and noticed lots of connections in waiting status to low number IP addresses, which seemed unusual because no network apps that I was aware of were running. I started investigating who these IP addresses are and found others have asked the same question without any good answers. So I broke out my tools and figured out exactly what is happening. Kaspersky makes frequent calls to these dnl sites to update AV, KSN etc.  Someone questioned what was being sent because it’s an SSL connection, so I broke the tunnel and captured exactly what it was requesting. I didn’t monitor it for hours on end, but for the time I have watched, it is only performing a GET for updates and diffs. See my screen shot.






Seems like Kaspersky has a bunch of download servers. If you notice, the DNS name resolves twice to the same IP, I suspect it's a load balancing method or fail over method. The IP addresses do not reverse to the host name, I discovered these names when looking inside the encrypted tunnel.
 
host name :  dnl-00.geo.kaspersky.com
address   :  4.28.136.36

host name :  dnl-01.geo.kaspersky.com
address   :  4.28.136.36

host name :  dnl-02.geo.kaspersky.com
address   :  4.28.136.39

host name :  dnl-03.geo.kaspersky.com
address   :  4.28.136.39

host name :  dnl-04.geo.kaspersky.com
address   :  4.28.136.42

host name :  dnl-05.geo.kaspersky.com
address   :  4.28.136.42

host name :  dnl-06.geo.kaspersky.com
address   :  38.124.168.116

host name :  dnl-07.geo.kaspersky.com
address   :  38.124.168.119

host name :  dnl-08.geo.kaspersky.com
address   :  38.124.168.125

host name :  dnl-09.geo.kaspersky.com
address   :  38.117.98.196

host name :  dnl-00.geo.kaspersky.com
address   :  4.28.136.36

host name :  dnl-10.geo.kaspersky.com
address   :  38.117.98.199

host name :  dnl-11.geo.kaspersky.com
address   :  38.117.98.202

host name :  dnl-12.geo.kaspersky.com
address   :  38.117.98.253

host name :  dnl-13.geo.kaspersky.com
address   :  38.124.168.119

host name :  dnl-14.geo.kaspersky.com
address   :  4.28.136.39

host name :  dnl-15.geo.kaspersky.com
address   :  38.124.168.116

host name :  dnl-16.geo.kaspersky.com
address   :  38.117.98.196

host name :  dnl-17.geo.kaspersky.com
address   :  38.117.98.202

host name :  dnl-18.geo.kaspersky.com
address   :  38.117.98.199

host name :  dnl20.geo2.kaspersky.com
alias name:  dnl-19.geo.kaspersky.com
address   :  4.28.136.42

Sincerly,

The Cheapbyte

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)