jisusaiche: Java's installer telemetry
Beginning with Java JRE 8u211, the online Windows installer appears to generate a prolific amount of traffic not seen in previous versions. In my environment, it attempted to contact the following hosts:
0138-0-nyc104[unique-id-removed].beacon.rum.dynapis.info 0138-0-nyc108[unique-id-removed].beacon.rum.dynapis.info 0138-0-nyc10a[unique-id-removed].beacon.rum.dynapis.info 0138-0-nyc10d[unique-id-removed].beacon.rum.dynapis.info 0138-0-nyc10e[unique-id-removed].beacon.rum.dynapis.info aws-iad1.rum.dynapis.com aws-sfo1.rum.dynapis.com azr-dsm1.rum.dynapis.com azr-iad1.rum.dynapis.com azr-ord1.rum.dynapis.com azr-sat1.rum.dynapis.com azr-sjc1.rum.dynapis.com beacon.rum.dynapis.com cdnet.jisusaiche.com cdnet.jisusaiche.com.wtxcdn.com dgo-nyc1.rum.dynapis.com dgo-sfo1.rum.dynapis.com dgo-yyz1.rum.dynapis.com edge.jisusaiche.com flare.jisusaiche.biz goo-cbf1a.rum.dynapis.com goo-chs1b.rum.dynapis.com ibm-iad1.rum.dynapis.com ibm-sjc1.rum.dynapis.com jisusaiche-475487.c.cdn77.org jisusaiche-componentrysolut.netdna-ssl.com jisusaiche.global.ssl.fastly.net jisusaiche.secure.footprint.net ll.jisusaiche.com rck-dfw1.rum.dynapis.com rck-iad1.rum.dynapis.com rck-ord1.rum.dynapis.com sjremetrics.java.com z.rum.dynapis.com
In web operations parlance, "
RUM" generally indicates a realtime user monitoring service. Indeed, Oracle's Dyn offers such a mechanism that's been implemented in the Java installer. Aside from being noisy on the wire, most of this is harmless; the installer is interacting with multiple download mirrors to see which one might perform the best. But several of the hostnames contained what appeared to be unique identifiers, and that's enough for me to sinkhole all of
rum.dynapis.(com|info) in DNS.
I'm less clear on what "
jisusaiche" represents — perhaps jisusaiche Christ that's a lot of telemetry! — or what data is being transmitted to those hosts, but they've earned a spot in the firewall, too.
I think I'll be using the offline Java installer from now on. That comes directly from
download.oracle.com and doesn't generate a bunch of dubious network traffic in the background.