Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 8453 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone else having thousands of connection requests to "weather.service.msn.com" since today/yesterday?

kerobra_retired

Today I ran into a strange issue regarding Outlook 2013 and newer versions (Office 365).
A customer reported authentication issues with his SG330 when accessing web pages that require authentication. The users got a "proxy authentication required" message in their browsers.

 

As I wanted to check the live log I didn't had 3 seconds till my browser window froze. The UTM was producing 10 times more logs for the web filter in 6 hours than yesterday. There were thousands of entries for "http://weather.service.msn.com/data.aspx?wealocations=&...", I was able to take a screenshot where more than 50 requests were shown within 1 second. I don't know if that is responsible for the authentication problems, but it felt like an internal DoS against the web filter.
We disabled it via GPO in Outlook and for now, the requests stopped. We are monitoring the authentication issues now.

I checked the UTM of another customer and saw the same "mass requests" there till today. Before today, there were single requests, over a day 160 or so. Today there are more than 160 in a minute...



This thread was automatically locked due to age.
Parents
  • 0

    Had this morning exactly the same issue on SG330.

    We've got about 60000 log entries every minute für the weather.service.msn.com URL.

    Disabled weather function in Outlook group policies helped.

  • 0 in reply to Don_Mumpitz

    2019:05:09-12:01:15 XXXXXXXX-1 httpproxy[1027]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="XXX.XXX.XXX.XXX" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaVisteViste2 (SSO)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2627" request="0x10df1000" url="weather.service.msn.com/data.aspx referer="" error="Host not found" authtime="0" dnstime="4" cattime="0" avscantime="0" fullreqtime="317" device="0" auth="2" ua="Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/7.0; Microsoft Outlook 16.0.11328; Microsoft Outlook 16.0.11328; ms-office; MSOffice 16)" exceptions="auth,content,url,ssl,fileextension"

  • 0 in reply to Don_Mumpitz
    Exactly the same messages. I will check the authentication issues again tomorrow but I could imagine that these massive requests have had a negative impact not only on the UTM (at least it’s CPU usage was higher than the last days) apart from filling up the log partition. The customer with the auth impacts uses AD-SSO with several backend groups. Maybe I can see an impact on the domain controllers for today, too - didn‘t think so far in the first moment... Only suppressing the log entries will save storage space, but the UTM still gets triggered with the requests. Switch uplinks, maybe the DCs, there are many places where the additional work and traffic can have an impact. So I think, the GPO will be the best way to keep the whole network cleaner. The article about Microsoft disabling the API in 2016 was the first I found tomorrow, but I cannot get any idea how that should change the behaviour on the Office client by itself 3 years later... the Citrix-servers that were involved have automatic updates on manual mode and no patchday this week, same for O365 updates, which is still build 19-01. But for the moment it is good to know that we are not alone with that „feature“... :-)

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Reply
  • 0 in reply to Don_Mumpitz
    Exactly the same messages. I will check the authentication issues again tomorrow but I could imagine that these massive requests have had a negative impact not only on the UTM (at least it’s CPU usage was higher than the last days) apart from filling up the log partition. The customer with the auth impacts uses AD-SSO with several backend groups. Maybe I can see an impact on the domain controllers for today, too - didn‘t think so far in the first moment... Only suppressing the log entries will save storage space, but the UTM still gets triggered with the requests. Switch uplinks, maybe the DCs, there are many places where the additional work and traffic can have an impact. So I think, the GPO will be the best way to keep the whole network cleaner. The article about Microsoft disabling the API in 2016 was the first I found tomorrow, but I cannot get any idea how that should change the behaviour on the Office client by itself 3 years later... the Citrix-servers that were involved have automatic updates on manual mode and no patchday this week, same for O365 updates, which is still build 19-01. But for the moment it is good to know that we are not alone with that „feature“... :-)

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Children
Unfiltered HTML