Please, explain this lines of Squid access.log:

Question

Thing is "205.185.216.42" is currently in our blacklist, so this lines of log triggers IPS. I don't know how to read them:

1239879844.243 2129 192.168.0.1 TCP_MISS/403 337 HEAD http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b5faeacb-5da7-4c5a-8ebb-5c419d82781f? - HIER_DIRECT/205.185.216.42
1239879844.243 2729 192.168.0.2 TCP_TUNNEL/200 106460 CONNECT hwcdnssl.cedexis-test.com:443 - HIER_DIRECT/205.185.216.42 - 
1239879844.243 1578 192.168.0.3 TCP_MISS/200 1317 GET http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_DIRECT/192.35.177.64 application/x-pkcs7-mime 
1239879844.243 1581 192.168.0.4 TCP_TUNNEL/200 87268 CONNECT script.hotjar.com:443 - HIER_DIRECT/205.185.216.42 - 

I don't understand how why all this connection logs include HIER_DIRECT/205.185.216.42? Is it means they are on host? Microsoft have their update server on one host along with hotjar.com? Squid log manual says that HIER_DIRECT means "The object was fetched from the origin server".

Please help

Answer 1

You may be blocking 205.185.216.42 but unless your doing ssl_bump (docs) those connections will be tunnelled and squid may allow them to pass in there https format as indicated by the log lines;

TCP_TUNNEL/200

The first entry did appear to get blocked as it returned;

TCP_MISS/403 - and 403 = Access Denied.

Now what's in common with all those IP addresses being the same is the Content Delivery Network which appears to host them hwcdn.net;

$ host script.hotjar.com
script.hotjar.com is an alias for cds.x9r8d8c9.hwcdn.net.
cds.x9r8d8c9.hwcdn.net has address 205.185.216.10
cds.x9r8d8c9.hwcdn.net has address 205.185.216.42

$ host hwcdnssl.cedexis-test.com
hwcdnssl.cedexis-test.com is an alias for cds.x9n3c7e4.hwcdn.net.
cds.x9n3c7e4.hwcdn.net has address 205.185.216.42

$ host tlu.dl.delivery.mp.microsoft.com
tlu.dl.delivery.mp.microsoft.com is an alias for 2-01-3cf7-000d.cdx.cedexis.net.
2-01-3cf7-000d.cdx.cedexis.net is an alias for cds.f7y3z2w8.hwcdn.net.
cds.f7y3z2w8.hwcdn.net has address 205.185.216.10
cds.f7y3z2w8.hwcdn.net has address 205.185.216.42
cds.x9n3c7e4.hwcdn.net has address 205.185.216.10

I have those entries marked as 'bad' in several firewalls and hosts and they are blocked. As to why your clients are hitting the addresses I'd look for any malware of viruses on the hosts, and if it's not that then there is something else in common with your clients all fetching data from those domains. (Maybe there loading some js or other CDN hosted content.

To dig deeper you would need to capture some traffic from a client and examin the payloads, but do check for malware/viruses/etc before you start digging too much as it may save you some time!