From a fresh reboot I entered netstat -an | more
in a terminal shell and located a foreign ip address 99.86.32.24
from netstat's output connected to my system over port 443
. I've opted out of sending diagnostic reports to cannonical telemetry servers,
yet I am connected to cannonical and amazon aws, why?
Here's the output of the whois command with the amazon ip passed as a argument:
NetRange: 99.85.128.0 - 99.87.191.255
CIDR: 99.85.128.0/17, 99.87.128.0/18, 99.86.0.0/16, 99.87.0.0/17
NetName: AMAZO-4
NetHandle: NET-99-85-128-0-1
Parent: NET99 (NET-99-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS16509
Organization: Amazon.com, Inc. (AMAZO-4)
RegDate: 2018-01-10
Updated: 2018-01-11
Ref: https://rdap.arin.net/registry/ip/99.85.128.0
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4
Address: Amazon Web Services, Inc.
Address: P.O. Box 81226
City: Seattle
StateProv: WA
PostalCode: 98108-1226
Country: US
RegDate: 2005-09-29
Updated: 2020-04-07
Comment: For details of this service please see
Comment: http://ec2.amazonaws.com
Ref: https://rdap.arin.net/registry/entity/AMAZO-4
OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/ANO24-ARIN
OrgNOCHandle: AANO1-ARIN
OrgNOCName: Amazon AWS Network Operations
OrgNOCPhone: +1-206-266-4064
OrgNOCEmail: [email protected]
OrgNOCRef: https://rdap.arin.net/registry/entity/AANO1-ARIN
OrgRoutingHandle: ADR29-ARIN
OrgRoutingName: AWS Dogfish Routing
OrgRoutingPhone: +1-206-266-4064
OrgRoutingEmail: [email protected]
OrgRoutingRef: https://rdap.arin.net/registry/entity/ADR29-ARIN
OrgAbuseHandle: AEA8-ARIN
OrgAbuseName: Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://rdap.arin.net/registry/entity/AEA8-ARIN
OrgRoutingHandle: IPROU3-ARIN
OrgRoutingName: IP Routing
OrgRoutingPhone: +1-206-266-4064
OrgRoutingEmail: [email protected]
OrgRoutingRef: https://rdap.arin.net/registry/entity/IPROU3-ARIN
My overall question here is why would ubuntu be connected to any other remote server if I have opted out from sending telemetry data? Is there a reason for this/these connections? Or should I be paranoid?
Canonical hosts some content and update mirrors in AWS. That's likely all you're seeing here.
Since you asked, personally, I would be paranoid and block it with iptables and keep and eye out for its re-appearance. And of course be aware if it impacts any service necessary to operating your system. If so, please report it back here. These days, if you're not paranoid, you're crazy.
Use the hint in the notes above to determine what apps are involved to get started in your investigation.
In fact, I found this question while searching for "dogfish routing" because I have found questionable traffic coming from another netblock 54.64.0.0/13 AMAZON-2011L that contains the same string.
see also: Why Lubuntu 18.04 calls Amazon servers? (motd.ubuntu.com)