Akamai is one of the myriad of hosts that provide edge caching technology on the interwebs.
When MS releases updates on patch Tuesday, where do those come from? The ISP and telecom companies that own and maintain the interweb backbone itself distribute those updates across the globe.
One of the edge caching technology providers is Hurricane Electric. Its an electric utility in California. Updates are served up based on load balancing networks on the interweb backbone. When people in NYC & San Fran look to get the latest critical updates to Java, millions of people simultaneously are not getting downloads from Oracle's servers.
The ISP or telecom providers having the network capacity cache those updates locally. Akamai is one company that provides that service.
Not much you can do about it since for the most part, SVCHost is the biggest offender. By default it lives in the Windows System Applicatoin file-group having Windows System Application predefined policy resource access permissions.
I've excised SVCHost into its own custom policy D+ rule-set. There are:
run executable: 17
process termination: 1
Device Driver Installation: 2
Protected Registry keys: 148
Protected files / folders: 89
The firewall rules for SVCHost comprise:
58 single / address range rules to port 80 or 443 or both
including 48 network zones to either port 80, 443 or both
The domain range owner for these IP or network zones comprise:
Bandcon / Akamai (bandcon owns the larger superset of domains within which Akamai operates)
Beyond the Network America
QWest (shared by SVCHost & jaucheck, ie., Java updater)
Level 3 (shared by CIS & SVCHost)
NTT America (shared by SVCHost & Adobe Reader)
QWest / Akamai (shared by CIS & SVCHost)
AKamaiTech (for Adobe ARM)
MS 1BLK (share ports 80/443)
MSECN.net (shares ports 80 / 443)
MSGlobal.net (SVCHost shares ports 80/443)
AkamaiTech (SVCHost shares ports 80/443)
AkamaiTech (Adobe ARM - port 443 only)
Level 3 (SVCHost / Adobe ARM - port 443 only)
MS1BLK (SVCHost port 443 only)
MS GFS (SVCHost port 443 only)
msecn.net (port 443 only)
TCP traffic by SVCHost to DNS (in addition to default UDP to DNS) on port 53
For the most part, SVCHost is fat dumb and happy (as am I); every one of those IP domain owners are the very companies that provide the interweb backbone itself.