Blocking outbound 443

[RonNYC]

I have Win7 with a Linksys router. I noticed in the router log that were are several unknown (to me) IP connections on 443. I would like to block them. Is this easy? Or a pain?

thanks

RON

 

[jmacavali]

Pretty sure that's https traffic (as opposed to just http). It can also be used for email I think.

 

[RonNYC]

I'm sure its HTTPS but it doesn't originate from me, that is, from an action by me. I don't know how to evaluate it.

31.13.65.23
98.124.247.66
199.59.149.230
23.54.209.224

Perhaps this is just customary for "normal" web pages. I don't know.

RON

 

[cboucher]

I'm sure its HTTPS but it doesn't originate from me, that is, from an action by me. I don't know how to evaluate it.

31.13.65.23
98.124.247.66
199.59.149.230
23.54.209.224

Perhaps this is just customary for "normal" web pages. I don't know.

RON

One of those looks like it's coming from twitter...

 

[RonNYC]

Yes I could see Twitter. I don't have a twitter account. My question is: is it common for web sites I visit to then use 443 to GET or POST something on a site I am unfamiliar with? And how can I block this?

 

[setishock]

Those could be tracking cookies phoning home. Take those IP's and see if they are in the firewall logs. If so you can see where they came from and who they were talking to.

 

[root]

The addresses relate to sites by:
Facebook,
Twitter
Akami (which is a company that has servers all over the world that mirror sites) -so could be anything that you're connecting to)
and a block that seems to be in use by a company called demand media.

I suspect that if you looked at the site that you connected to when you saw these strange connections there would be.

An article served by the site:
some kind of comments section where you could comment on the article from the identity of your face book account, a part where they want to show you who is tweeting about the article.
(that explains the first two).

If the article is on a very large site, and if you've needed to sign in, then it's likely that the site could be hosted on Akami, (so it's mirrored to a server geographically closer to you so that your access to it is easier.)
as for the last site: demand media, I'd imagine that's either the publisher of the site that you're connected to, (and you need to connect to them because there is some content that can't be cached (e.g. comments section or forum) to get actual content, whilst things like site banners, and a lot of page data is served by Akami.
either that or demand media host adverts.

so mystery solved.
the reason you're connecting to those sites is because whatever page you're looking at has content from those sites.

C:\Windows\System32>jwhois 31.13.65.23
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '31.13.64.0 - 31.13.127.255'

inetnum:        31.13.64.0 - 31.13.127.255
netname:        IE-FACEBOOK-20110418
descr:          Facebook Ireland Ltd
country:        IE
org:            ORG-FIL7-RIPE
admin-c:        RD4299-RIPE
tech-c:         RD4299-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      fb-neteng
mnt-routes:     fb-neteng
source:         RIPE # Filtered

C:\Windows\System32>jwhois 199.59.149.230
[Querying whois.arin.net]
[whois.arin.net]

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 199.59.149.230"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=199.59.149.230?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       199.59.148.0 - 199.59.151.255
CIDR:           199.59.148.0/22
OriginAS:       AS13414
NetName:        TWITTER-NETWORK
NetHandle:      NET-199-59-148-0-1
Parent:         NET-199-0-0-0-0
NetType:        Direct Assignment
RegDate:        2010-11-23
Updated:        2013-05-16
Ref:            http://whois.arin.net/rest/net/NET-199-59-148-0-1


OrgName:        Twitter Inc.
OrgId:          TWITT
Address:        1355 Market Street
Address:        Suite 900
City:           San Francisco
StateProv:      CA
PostalCode:     94103
Country:        US
RegDate:        2010-03-08
Updated:        2013-04-26
Ref:            http://whois.arin.net/rest/org/TWITT

OrgTechHandle: CONNO14-ARIN
OrgTechName:   connor, Shane
OrgTechPhone:  +1-415-750-4040
OrgTechEmail:  sconnor@twitter.com
OrgTechRef:    http://whois.arin.net/rest/poc/CONNO14-ARIN

OrgNOCHandle: NETWO3685-ARIN
OrgNOCName:   Network Operations
OrgNOCPhone:  +1-415-222-9670
OrgNOCEmail:  noc@twitter.com
OrgNOCRef:    http://whois.arin.net/rest/poc/NETWO3685-ARIN

C:\Windows\System32>jwhois 23.54.209.224
[Querying whois.arin.net]
[whois.arin.net]

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 23.54.209.224"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=23.54.209.224?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       23.32.0.0 - 23.67.255.255
CIDR:           23.64.0.0/14, 23.32.0.0/11
OriginAS:
NetName:        AKAMAI
NetHandle:      NET-23-32-0-0-1
Parent:         NET-23-0-0-0-0
NetType:        Direct Allocation
RegDate:        2011-05-16
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-23-32-0-0-1

OrgName:        Akamai Technologies, Inc.
OrgId:          AKAMAI
Address:        8 Cambridge Center
City:           Cambridge
StateProv:      MA
PostalCode:     02142
Country:        US
RegDate:        1999-01-21
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/AKAMAI

C:\Windows\System32>jwhois 98.124.247.66
[Querying whois.arin.net]
[whois.arin.net]

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 98.124.247.66"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=98.124.247.66?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       98.124.192.0 - 98.124.255.255
CIDR:           98.124.192.0/18
OriginAS:       AS21740
NetName:        DEMANDMEDIA-2
NetHandle:      NET-98-124-192-0-1
Parent:         NET-98-0-0-0-0
NetType:        Direct Assignment
RegDate:        2008-06-17
Updated:        2012-03-21
Ref:            http://whois.arin.net/rest/net/NET-98-124-192-0-1

OrgName:        eNom, Incorporated
OrgId:          ENOM
Address:        5808 Lake Washington Blvd. Suite 300
City:           Kirkland
StateProv:      WA
PostalCode:     98033
Country:        US
RegDate:        2001-06-15
Updated:        2012-05-03
Comment:        Domain Related inquiries please contact our helpdesk at 425-274-4500 (http://www.eno
m.com/help/).
Ref:            http://whois.arin.net/rest/org/ENOM

OrgTechHandle: SVOBO-ARIN
OrgTechName:   svobodny, ben
OrgTechPhone:  +1-425-298-2205
OrgTechEmail:  ben.svobodny@demandmedia.com
OrgTechRef:    http://whois.arin.net/rest/poc/SVOBO-ARIN

OrgAbuseHandle: DEMAN-ARIN
OrgAbuseName:   DemandMedia NOC
OrgAbusePhone:  +1-425-274-4500
OrgAbuseEmail:  dmnoc@demandmedia.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/DEMAN-ARIN