Hi,

we're frequently seeing alerts like "The number of TCP connections per minute from a specific source IP address exceeded the configured limit". Since our users connect to the proxy from Remote Desktop Servers (Citrix) I've already added those IP's to the Flood mitigation exceptions list and upped the threshold for exceptions.

After investigating a few of these alerts I'm seeing an extremely large amount (over 10.000 per minute) of SSL connections to hosts in the drip.trouter.io domain (ex. 193-149-88-182.drip.trouter.io). This domain seems to belong to Microsoft, does anyone know what is triggering these connections and why? It seems like an unnecessary strain on the TMG servers.

Best regards,

Enrico Klein 

• Changed type Quan GuMicrosoft contingent staff, Moderator Friday, November 15, 2013 6:04 AM

Hi,

you can try to caputre the packets which go to <label>193.149.88.182 and check the type of the packets. I think we can analyse the packets via network monitor.</label>

Best Regards

Quan Gu

Hi! Just curious if this domain has resolution as to what it is. The traffic is SSL port 8080.

Thanks!

We are seeing the same thing: lots of SSL traffic to port 443. What is this domain used for? To which Microsoft application is this related?

Ok, I've found some more info on the trouter.io domain. It seems this is used for a web notification service called Trouter, developed by Jacek Korycki from the Skype division. It is described in detail in this patent.

This kind of startled me because we block Skype from being used on our workstations. It seems however that Trouter is also used on outlook.com and live.com.

I think what we are seeing is a large amount of polling going on to trouter.io hosts. The size of these polling requests is 39 bytes. Only very rarely we see the start of a Trouter session via https://go.trouter.io/ and messages that carry actual data (larger than 39 bytes).