I have found several IP addresses coming from “MICROSOFT-CORP-MSN-AS-BLOCK” org. They seem to be coming from foreign countries and I will find them in svchost & Windows app processes. Does anyone know what this is? I even checked with Microsoft support to see if my included Windows is part of any enterprise domain and they confirmed not.
Hosts from what “foreign countries” are you seeing? svchost/Host Process for Windows Services talks to a bunch of different hosts/servers, vast majority being from Microsoft, you may also see non-Microsoft servers if you have software installed that runs its traffic via the process.
You can also sometimes see small amounts to traffic with random hosts which usually contain “ocsp” in the hostname, that’s normal as Windows checks with these servers if a certain digital certificate (for example one that verifies who published of a piece of software) has been revoked.
I have seen these ones mostly coming from UK & Japan. Primarily MicrosoftWindows.Client.CBS & Xbox Game Bar is where I have seen these. A few times from India as well. I’ve been periodically looking into this to see what the heck “MSN-AS-BLOCK” actually means, but haven’t found a clear answer yet.
I should ask if this is normal or someone attempting to connect through these Windows processes for nefarious reasons. What raises my suspicion is that I’ll typically see them appear after connecting to P2P sites like Twitch or certain online games.
MSN-AS-BLOCK is most likely a Microsoft thing, you may have heard of MSN before.
Twitch isn’t a P2P program, some online games might be though, some games use a service called “Teredo” which may indeed show up with Microsoft IPs, but generally won’t use Client.CBS or the Game Bar for this traffic.
How are you seeing these hosts exactly? Do the IPs show up or does it literally say “MSN-AS-BLOCK” in the field?
Edit:
These processes usually talk to Microsoft services, so that part isn’t concerning, however it should be checked out if these are actually Microsoft IPs.
Could you post an example IP address?
If you look up a related IP address you may find an associated AS number, for “Autonomous System”.
An Autonomous System (AS) is a group of IP networks run by one or more network operators with a single, clearly defined routing policy.
When exchanging exterior routing information, each AS is identified by a unique number: the Autonomous System Number (ASN). An AS is also sometimes referred to as a routing domain.
I’m guessing that “MSN-AS-BLOCK” is an assigned block of numbers associated with MSN and a particular AS number. It’s internet infrastructure jargon. Google it…