Share via

Unexpected connections to an IP address located in Nigeria

M 20 Reputation points
2025-07-15T13:26:37.4766667+00:00

Hello everyone.

In the last few months we have seen over 400 direct connections to this IP address: 196.49.32.6, which is associated with the Internet Exchange Point of Nigeria (IXPN).

  • The URLs associated with the connections appear to be related to Microsoft and follow a pattern of:
    • 196.49.32.6/filestreamingservice/files/XXXXXX/XXXXX&cacheHostOrigin%3d9.tlu.dl.delivery.mp.microsoft.com
    • 196.49.32.6/filestreamingservice/files/XXXXX/pieceshash?cacheHostOrigin%3ddl.delivery.mp.microsoft.com
  • The logs for some of the connections show associated files, which also appear related to Microsoft:
    • Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x64__XXXXX.Appx
    • Microsoft.VCLibs.140.00_14.0.33519.0_x86__XXXXX.Appx
    • Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__XXXXX.Appx

Some of the connections show Microsoft Delivery Optimization as the UA.

It looks like the connections could be related to Microsoft updates being downloaded. However, I want to confirm whether the IP is in any way associated with Microsoft. The IP appears to be listed as member of the IXPN (bgpview.io/ix/224).

Microsoft Delivery Optimization seems to be affected by the use of services which change/anonymise users' locations, such as VPNs or proxies.

Does anyone have any idea what could be causing these connections?

Thank you.

Microsoft Security | Microsoft Sentinel
0 comments
Answer accepted by question author
  1. Konstantinos Lianos 205 Reputation points Student Ambassador
    2025-10-08T08:27:13.3966667+00:00

    Hello,

    The IP 196.49.32.6 belongs to the Internet Exchange Point of Nigeria (IXPN) and is legitimately used by Microsoft’s CDN for content delivery.

    The connections you see are caused by Microsoft Delivery Optimization, which downloads Windows and Store updates (e.g., .appx packages like .NET or VCLibs) from nearby CDN or peer sources.

    VPNs or proxies can redirect this traffic to IXPN nodes in other regions.

    It’s not malicious — it’s normal Windows update behavior.

    If you want to stop it, set Delivery Optimization → Download Mode = HTTP only so updates come only from Microsoft servers.

    Please check as resolved if this helps your issue.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.