AirPort Base Station Agent wants to connect to site?

[mchugh24]

I have Little Snitch installed and two times this month it has popped up saying that AirPort Base Station Agent wants to connect to 216-207-67-137.dia.static.qwest.net on port 80. This seems odd to me. I am running a wired connection to my Air Port extreme and the only thing wireless on the closed network is a Wii. Any ideas?

Thanks--CM

[trevstrotz1]

Is your internet service provider Qwest? If so, it is trying to connect to Quest's website, if it is your ISP, then i would let it connect, because it is probably part of your connection...

BUT ONLY IF YOUR ISP IS QUEST...

reply back....

[mchugh24]

Thank for the reply. No, I have comcast as my ISP. I let the Airport Utility access some things, like NTP and DNS, but this is the only time that the Airport Base Station has tried an outbound connection that I know of.

I now know these are 2 different applications, the location of the base station app is /System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent and Airport Utility is in the Utilities folder. I googled some relevant info and got nothing...

CM

[hayne]

Quote: Originally Posted by mchugh24 I have Little Snitch installed and two times this month it has popped up saying that AirPort Base Station Agent wants to connect to 216-207-67-137.dia.static.qwest.net on port 80.

1) The Airport Base Station Agent is apparently (from a small mention that I read on TIDbits.com) something that is new with recent Airport Admin updates - it is apparently a program that checks on the status of your Airport base stations.
I don't know why it would be trying to access an outside web site.

2) What URL is being requested when it tries to access that outside web server? There is a web server running at that address but I haven't been able to get any useful web pages from it, just error pages (see below, where the green is what I typed, the blue is the response from the server).

Code:

% telnet 216.207.67.137 80
Trying 216.207.67.137...
Connected to 216-207-67-137.dia.static.qwest.net.
Escape character is '^]'.
GET / HTTP/1.0


HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 187
Expires: Fri, 19 Oct 2007 02:22:28 GMT
Date: Fri, 19 Oct 2007 02:22:28 GMT
Connection: close

<HTML><HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD><BODY>
<H1>Invalid URL</H1>
The requested URL "/", is invalid.<p>
Reference #9.8543cfd8.1192760548.0
</BODY></HTML>
Connection closed by foreign host.

The fact that the server identifies itself as "AkamaiGHost" (above) makes it seem like it might be an Apple-operated server - Apple often uses Akamai for distributed load balancing.

[heimerwisen]

Quote: Originally Posted by mchugh24 I have Little Snitch installed and two times this month it has popped up saying that AirPort Base Station Agent wants to connect to 216-207-67-137.dia.static.qwest.net on port 80. This seems odd to me. I am running a wired connection to my Air Port extreme and the only thing wireless on the closed network is a Wii. Any ideas? Thanks--CM

Quote: Originally Posted by hayne 1) The Airport Base Station Agent is apparently (from a small mention that I read on TIDbits.com) something that is new with recent Airport Admin updates - it is apparently a program that checks on the status of your Airport base stations. I don't know why it would be trying to access an outside web site. 2) What URL is being requested when it tries to access that outside web server? There is a web server running at that address but I haven't been able to get any useful web pages from it, just error pages (see below, where the green is what I typed, the blue is the response from the server). ... The fact that the server identifies itself as "AkamaiGHost" (above) makes it seem like it might be an Apple-operated server - Apple often uses Akamai for distributed load balancing.

I have noticed this myself. Past egress attempts were also a qwest address, with the server ID-ing itself as an 'AkamaiGHost'.

Running the AirPort Base Station Agent (APBSA) will kick the "phoning home" process, but it also happens randomly too. Odd.

Just tonight (and the reason I am piping in... found this thread via Goog), Little Snitch popped up out of nowhere, this time the APBSA query IP was 128.241.220.87. Reverse lookup returned nada on my current DNS server, yet the IP is listed as an NTT America Inc address (NTT.NET). Telnet session reveals yet another 'AkamaiGHost'.

Have not sniffed the outbound request yet.

Makes me wonder if the APBS Extreme itself attempts to "phone mum up" as well. Ours functions just as an AP, though we were testing it as a file server for non sensitive docs (not impressed, even if the setup is painless... the file server aspect of it "burped" way too often, requiring a reset -even with the newest firmware).

Not that it does, but something about the thought of the Extreme (as file server) also querying an unknown IP makes me a little uncomfortable. Glad that we blocked outbound traffic from it upon initial setup.

[mchugh24]

I guess it's reassuring that someone else has noticed this. Is there a chance that Little Snitch associates the port that is making the request with the APBSA, but in reality it is another (shady) program?

Hayne--I don't know how to check what URL is being requested when it tries to access that outside web server. Ethereal?

[hayne]

One interesting thing to try would be to look at the strings that are embedded in the AirPort Base Station Agent executable and see if those indicate more about what & why it is doing.

You can extract the strings from an executable with the Unix-level command 'strings'

[bramley]

I see that the Airport Utility preferences has a 'check for updates' option. Perhaps that's what's going on. The agent is 'phoning home' to see if there's an update. Maybe turning off the 'check for updates' option will cause the LS messages to stop.

[heimerwisen]

Quote: Originally Posted by bramley I see that the Airport Utility preferences has a 'check for updates' option. Perhaps that's what's going on. The agent is 'phoning home' to see if there's an update. Maybe turning off the 'check for updates' option will cause the LS messages to stop.

It does! (thanks bramley). Duh. Hadn't even crossed my mind to look since Apple apps traditionally rely on the Software Update engine (other than iTunes). Wonder why they went with default (self)autochecking for this app?

Aiport Utility -> Preferences... has two checkboxes related to updates. Unchecking eliminates egress.

Still wonder if the APBS Extreme itself phones home.

[Las_Vegas]

216-207-67-137.dia.static.qwest.net - This could be the DNS address of your own modem. Is your IP address 216.207.67.137?

Check it here: http://www.whatsmyipaddress.com/

[mchugh24]

Las_Vegas: Thanks but that is not my modem or routers IP address.

hayne: Partial (hopefully relevant) strings result posted below. I deleted some Little Snitch rules and ran Check for updates... from the Airport Utility. Little Snitch opened but correctly said that Airport Utility (not the Base Station) want to connect (different IP). Maybe the check for SW update is initiated from AirPort Utility and the check for a firmware update is initiated from the Base Station App???

Partial output of sudo strings -a AirPort\ Base\ Station\ Agent: My thought is maybe the apple address shown below redirect to the Akamai server?

Code:

web.apple.com
%s %s %s
%s: %V
http://
HTTP/1.1
Host
close
Connection
Content-Length
raMA
monitorProblems
%kO:bool
syFl
deviceInfo
apupdate://update
{%kO=%O}
%kO:utf8
apconfig://assist?address=%s&macaddr=%s
monitorUpdatesInterval
monitorUpdatesLastTime
http://apsu.apple.com/version.xml.signature
http://apsu.apple.com/version.xml
http://apfw.apple.com/~apsu/version.xml.signature
http://apfw.apple.com/~apsu/version.xml
firmwareUpdates
syAP
syVs
%kO:vers
productID
version
updateInfo
{%kO=%O%kO=%O}
monitorUpdates

[hayne]

Code:

% host apsu.apple.com
apsu.apple.com is an alias for apsu.apple.com.edgesuite.net.
apsu.apple.com.edgesuite.net is an alias for a1376.g.akamai.net.
a1376.g.akamai.net has address 209.170.79.224
a1376.g.akamai.net has address 209.170.79.223

[trevor]

I get

Code:

% host apsu.apple.com
apsu.apple.com          CNAME   apsu.apple.com.edgesuite.net
apsu.apple.com.edgesuite.net    CNAME   a1376.g.akamai.net
a1376.g.akamai.net      A       204.0.3.74
a1376.g.akamai.net      A       204.0.3.72
% dig apsu.apple.com

; <<>> DiG 9.3.4 <<>> apsu.apple.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20274
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 8, ADDITIONAL: 8

;; QUESTION SECTION:
;apsu.apple.com.                        IN      A

;; ANSWER SECTION:
apsu.apple.com.         1748    IN      CNAME   apsu.apple.com.edgesuite.net.
apsu.apple.com.edgesuite.net. 4444 IN   CNAME   a1376.g.akamai.net.
a1376.g.akamai.net.     20      IN      A       204.0.3.121
a1376.g.akamai.net.     20      IN      A       204.0.3.130

;; AUTHORITY SECTION:
g.akamai.net.           223     IN      NS      n1g.akamai.net.
g.akamai.net.           223     IN      NS      n3g.akamai.net.
g.akamai.net.           223     IN      NS      n6g.akamai.net.
g.akamai.net.           223     IN      NS      n7g.akamai.net.
g.akamai.net.           223     IN      NS      n4g.akamai.net.
g.akamai.net.           223     IN      NS      n0g.akamai.net.
g.akamai.net.           223     IN      NS      n8g.akamai.net.
g.akamai.net.           223     IN      NS      n2g.akamai.net.

;; ADDITIONAL SECTION:
n7g.akamai.net.         206     IN      A       64.215.170.198
n8g.akamai.net.         121     IN      A       80.12.192.7
n3g.akamai.net.         174     IN      A       64.215.170.189
n4g.akamai.net.         372     IN      A       64.215.170.205
n0g.akamai.net.         360     IN      A       80.12.192.70
n2g.akamai.net.         45      IN      A       64.215.170.204
n1g.akamai.net.         31      IN      A       80.12.192.70
n6g.akamai.net.         229     IN      A       64.215.170.198

;; Query time: 68 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Oct 19 21:46:24 2007
;; MSG SIZE  rcvd: 407

Notice that the my IP addresses are different. I suspect that this might be different depending on where you are, as Akamai uses some very fancy load-balancing algorithm.

So this doesn't rule out http://apsu.apple.com showing as 216.207.67.137 in mchugh24's area.

Trevor

[mchugh24]

I get:

Code:

host apsu.apple.com
apsu.apple.com is an alias for apsu.apple.com.edgesuite.net.
apsu.apple.com.edgesuite.net is an alias for a1376.g.akamai.net.
a1376.g.akamai.net has address 216.151.132.11
a1376.g.akamai.net has address 216.151.132.40

So it's not the exact same, but it looks like they use a variety of IP addresses.

Thanks to everyone for the help.