locked
updates+level3.com RRS feed

  • Question

  •  

    Can someone tell me if onecare uses proxy servers at level3.com using footprint for any reason i.e updating. I ask as a recent netstat command showed a connection to 207.123.34.126 which is level3.com range of addresses and the pid of the app connecting was onecare. This connection happened just after boot and lasted for about 1 minute. I checked on another computer and the same happened on that but to a slightly different level3.com address. My systems are vista ultimate fully up to date and onecare fully up to date and scans ok. Perhaps it uses this for checking windows updates.
    Friday, October 24, 2008 9:05 AM

Answers

  • I asked for review of this thread by the OneCare team and received confirmation overnight that OneCare does indeed communicate to Level3 for updates in OneCare v2.5. So, at startup of the PC (and OneCare) when it checks for updates, it does reach out to a Level3 server to check for updates. It will also check a few other times during the day.

    -steve

     

    Tuesday, November 4, 2008 1:17 PM
    Moderator

All replies

  • No, what you are seeing is the OneCare Circle communication trying to reach a PC in your Circle at an IP address that it was once located at. For some stupid reason, OneCare remembers the remote address and checks it before checking the local LAN.

    -steve

    Friday, October 31, 2008 2:32 PM
    Moderator
  • Hi

    No that does not explain it as none of my two computers have ever been connected to level3.com in any form of a onecare circle. My computers are connected to a local network and as such use 192.168.x.x adress range. My isp is virginmedia. I truly believe that these adresses at level3.com are used to distribute microsoft updates to onecare. I would like Microsoft to confirm this or deny it to put my mind at rest but no one at microsoft seems to be able to do that task. I would like other people to try netstat -aon commands in a command window just after bootup and repeat the command for a few minutes to see if they get the same. If it was seeking old adresses that do not now exist then why is it commecting?

    Thanks for your reply but unfortunately it does not answer the question.

    malc

    Friday, October 31, 2008 4:48 PM
  • I've unmarked my post as an answer. To the best of my knowledge, OneCare does not communicate to any leve3 servers or services. What port do you see this communication go through?

    -steve

     

    Friday, October 31, 2008 6:28 PM
    Moderator
  • Hi

    Below I have copied the info from netstat, tasklist and an online IP whois for you. You can see from the netstat that at the time of command the port is in the wait state. It does connect but you have to catch it right. The connecting address is also not static. This one is 207.123.61.126 before it as been 207.123.34.126. From the tasklist command you can see the connecting process is winnss. I must stress I have no problems with my PC's they are fully up to date and onecare reports no problems. I have to assume its legitimate. I did find one internet forum that suggested iy was an update path but did not go into any details. I have removed any none relavent data from the items below. Thankyou for you fast response

    malc

    Microsoft Windows [Version 6.0.6001]
    Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

    C:\Users\malc>netstat -aon

    Active Connections

      TCP    192.168.1.101:49230    207.123.61.126:80      CLOSE_WAIT      2712 pid
     

    using tasklist pid is as follows
    winss.exe                     2712 Services                   0     46,980 K


    Using telnet responce from server is as follows after timout
    HTTP/1.0 408 Request Time-out
    Server: Footprint 4.3/FPMCP
    Mime-Version: 1.0
    Date: Sat, 01 Nov 2008 12:22:03 GMT
    Content-Type: text/html
    Content-Length: 658
    Expires: Sat, 01 Nov 2008 12:22:03 GMT


          <a href="http://www.footprint.net">Footprint 4.3/FPMCP</a>
                                                                    <br clear="all">

    <hr noshade size=1>
                       Generated Sat, 01 Nov 2008 12:22:03 GMT by 207.123.61.126 (<a
     href="http://www.footprint.net">Footprint 4.3/FPMCP</a>)
                                                             </BODY></HTML>


    Using an IP address lookup the decode of IP is as follows
    OrgName:    Level 3 Communications, Inc.
    OrgID:      LVLT
    Address:    1025 Eldorado Blvd.
    City:       Broomfield
    StateProv:  CO
    PostalCode: 80021
    Country:    US

    NetRange:   207.120.0.0 - 207.123.255.255
    CIDR:       207.120.0.0/14
    NetName:    LVLT-ORG-207-120
    NetHandle:  NET-207-120-0-0-1
    Parent:     NET-207-0-0-0-0
    NetType:    Direct Allocation
    NameServer: NS1.LEVEL3.NET
    NameServer: NS2.LEVEL3.NET
    Comment:   
    RegDate:   
    Updated:    2004-06-04

    OrgAbuseHandle: APL8-ARIN
    OrgAbuseName:   Abuse POC LVLT
    OrgAbusePhone:  +1-877-453-8353
    OrgAbuseEmail:  abuse@level3.com

    OrgTechHandle: ARINC4-ARIN
    OrgTechName:   ARIN Contact
    OrgTechPhone:  +1-800-436-8489
    OrgTechEmail:  arin-contact@genuity.com

    OrgTechHandle: TPL1-ARIN
    OrgTechName:   Tech POC LVLT
    OrgTechPhone:  +1-877-453-8353
    OrgTechEmail:  ipaddressing@level3.com

    Saturday, November 1, 2008 12:47 PM
  • Thanks for the additional details. I've pinged a contact on the OneCare team and hope for a response soon.

    -steve

     

    Monday, November 3, 2008 7:35 PM
    Moderator
  • I asked for review of this thread by the OneCare team and received confirmation overnight that OneCare does indeed communicate to Level3 for updates in OneCare v2.5. So, at startup of the PC (and OneCare) when it checks for updates, it does reach out to a Level3 server to check for updates. It will also check a few other times during the day.

    -steve

     

    Tuesday, November 4, 2008 1:17 PM
    Moderator
  • Hey Stephen. Why would a network including machines that have never had OneCare installed ever need to ping this address? And why does this appear to be a "hidden" communication - footprint.net is not forthcoming with its role nor its involvement with my network.
    Rich Turner [MSFT]
    Thursday, February 19, 2009 3:00 AM
  • Hi Richard,

    If I had to guess I'd think this was part of the global caching network used for Microsoft updates of all types, Windows, Office, OneCare and probably many others.  Remember that the initial contact to servers like update.microsoft.com is really just the initial step. A fter that, there is likely to be a large caching server presence worldwide that might be real servers or even more likely, a set of virtual connections to several more central sets of caching servers.

    This is the same way most major update systems for other vendors actually work.  Though the average user thinks of these as hundreds of small servers in hosting locations in every country, more often they are only a few large caching engines or even simply high capacity NAS with a caching front-end located in different regions around the world.

    OneCareBear
    Windows OneCare Forum Moderator
    Thursday, February 19, 2009 5:24 AM
    Moderator
  • I'll add that OneCareBear is quite correct in this. The company I work for (not Microsoft) has a major Internet presence and we self host a whole load of content and handle millions of transactions daily. However, a significant amount of content is actually presented to end users by servers hosted by Akamai. The end user has no idea that Akamai is serving the content unless a trace was initiated on the http traffic.
    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Friday, February 20, 2009 1:58 PM
    Moderator