I’ve had a bit more time on my hands lately, and I’d been noticing some unusual traffic being caught by my Fortigate on ports 80 and 443 (normal Web traffic ports). My home network is pretty locked down with rules for traffic coming in and traffic going out, so I have a pretty good sense of what is supposed to be there, what’s not, and when something new happens.
I started seeing traffic going to out addresses in 220.127.116.11/23 and 18.104.22.168/24. These two network blocks belong to Softlayer, and are innocuous enough by themselves, but as I started to dig into the traffic I noticed that the connections weren’t going to normal web sites…
… the data being passed was, as the sites would euphemistically call it, developer analytics, but a better name might be spy traffic. In short, there are applications (seemingly many) that want to call home with a little blurb about what you’re doing so someone can analyze that data for whatever intelligence purposes they have in mind. In general, this sort of thing doesn’t bother me if the application asks, and allows me to opt-in or opt-out. However, since I don’t recall being asked anything lately, and since this only started happening recently, it seems that a couple things I have are just built that way.
So far, I’ve detected keen.io (22.214.171.124/23) mostly using their main domain of api.keen.io, and Blue Kai Analytics (126.96.36.199/24). I definitely have something that desperately wants to pass info to them on a regular basis.
Needless to say, there’s a rule in place now that will cut that crap out.