2

From a fresh reboot I entered netstat -an | more in a terminal shell and located a foreign ip address 99.86.32.24 from netstat's output connected to my system over port 443. I've opted out of sending diagnostic reports to cannonical telemetry servers, yet I am connected to cannonical and amazon aws, why?

Here's the output of the whois command with the amazon ip passed as a argument:

NetRange:       99.85.128.0 - 99.87.191.255
CIDR:           99.85.128.0/17, 99.87.128.0/18, 99.86.0.0/16, 99.87.0.0/17
NetName:        AMAZO-4
NetHandle:      NET-99-85-128-0-1
Parent:         NET99 (NET-99-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS16509
Organization:   Amazon.com, Inc. (AMAZO-4)
RegDate:        2018-01-10
Updated:        2018-01-11
Ref:            https://rdap.arin.net/registry/ip/99.85.128.0



OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Inc.
Address:        P.O. Box 81226
City:           Seattle
StateProv:      WA
PostalCode:     98108-1226
Country:        US
RegDate:        2005-09-29
Updated:        2020-04-07
Comment:        For details of this service please see
Comment:        http://ec2.amazonaws.com
Ref:            https://rdap.arin.net/registry/entity/AMAZO-4


OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-266-4064 
OrgTechEmail:  [email protected]
OrgTechRef:    https://rdap.arin.net/registry/entity/ANO24-ARIN

OrgNOCHandle: AANO1-ARIN
OrgNOCName:   Amazon AWS Network Operations
OrgNOCPhone:  +1-206-266-4064 
OrgNOCEmail:  [email protected]
OrgNOCRef:    https://rdap.arin.net/registry/entity/AANO1-ARIN

OrgRoutingHandle: ADR29-ARIN
OrgRoutingName:   AWS Dogfish Routing
OrgRoutingPhone:  +1-206-266-4064 
OrgRoutingEmail:  [email protected]
OrgRoutingRef:    https://rdap.arin.net/registry/entity/ADR29-ARIN

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-266-4064 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://rdap.arin.net/registry/entity/AEA8-ARIN

OrgRoutingHandle: IPROU3-ARIN
OrgRoutingName:   IP Routing
OrgRoutingPhone:  +1-206-266-4064 
OrgRoutingEmail:  [email protected]
OrgRoutingRef:    https://rdap.arin.net/registry/entity/IPROU3-ARIN

My overall question here is why would ubuntu be connected to any other remote server if I have opted out from sending telemetry data? Is there a reason for this/these connections? Or should I be paranoid?

sd_hito
  • 29
  • 1
  • 3
  • 1
    Port 443 is used for TLS/SSL connections, which is in turn used for some https connections. Try `sudo netstat -atulpn | grep 443` to see which application is communicating to that IP address. Myself, I have eight connections currently open...all of them from my web browser. Connecting to AskUbuntu is one of them! – user535733 Apr 24 '20 at 22:02
  • 1
    If you got as far a using `netstat`, then use `-p` to show process information as well, and you'll have your answer. – muru Apr 25 '20 at 04:17
  • As a side remark, isn't it better nowadays to use the socket statistics tool, `ss`, instead of good old `netstat` ? – NovHak Dec 07 '21 at 01:22

2 Answers2

2

Canonical hosts some content and update mirrors in AWS. That's likely all you're seeing here.

James
  • 21
  • 2
0

Since you asked, personally, I would be paranoid and block it with iptables and keep and eye out for its re-appearance. And of course be aware if it impacts any service necessary to operating your system. If so, please report it back here. These days, if you're not paranoid, you're crazy.

Use the hint in the notes above to determine what apps are involved to get started in your investigation.

In fact, I found this question while searching for "dogfish routing" because I have found questionable traffic coming from another netblock 54.64.0.0/13 AMAZON-2011L that contains the same string.

see also: Why Lubuntu 18.04 calls Amazon servers? (motd.ubuntu.com)

Hugh Buntu
  • 419
  • 1
  • 3
  • 11