Is this IP safe to allow to connect to Svchost?

This IP was trying to connect to svchost.exe

I have had attempted connections to svchost in the past, what should I do when this happens?

Use brain.exe :wink:
When you dont know the host/IP that trys to establish a connection to your PC then dont allow it.
If it´s something important, that will sooner or later not work anymore since you blocked it, you will see.

Btw: use this and you will find out the host of the IP.

I was a little vague in my post, I was up for 24 hours when I posted that, so I was a little tired. I did look it up before posting. Team Cymru is the organization that IP is connected to. Team Cymru is a specialized Internet security research firm. is apart of that as well. I am unsure if this is has ties to my Cable ISP trying to communicate with my computer. I have seen that URL before, so I am not sure what to do.
I have Brighthouse Networks, my cable ISP.

You can allow it.
That’s for Windows time sync. It follows you region.(those servers can be different)
It may try to connect to port:123. That’s for the Network Time Protocol.
What we call? NTP.
But you may have a question ‘why do they do it?’.
Because that’s one of project for internet time sync.
It’s a legimate.
You can find some informations from MS.
Or visit following links and read.

Don’t worry about it. You are safe.

kyle@kyle-desktop:~$ whois

OrgName: PSINet, Inc.
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

ReferralServer: rwhois://

NetRange: -
NetHandle: NET-38-0-0-0-1
NetType: Direct Allocation
NameServer: NS.PSI.NET
NameServer: NS2.PSI.NET
Comment: Reassignment information for this block can be found at
Comment: 4321
RegDate: 1991-04-16
Updated: 2005-10-05

RTechName: IP Allocation
RTechPhone: +1-877-875-4311

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311

OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311

OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311

ARIN WHOIS database, last updated 2009-12-23 20:00

Enter ? for additional hints on searching ARIN’s WHOIS database.

Found a referral to

%rwhois V-1.5:0010b0:00
network:Street-Address:10S325 Argonne Ridge Road
10S325 Aragonne Ridge Road
network:Org-Name:Team Cymru
network:Updated:2007-09-18 19:45:35
network:Updated-by:John Knowles



svchost must be blocked

AFAIK Windows time synchronization might require svchost.exe to carry an outbound connection to port 123 of configured NTP server (eg So in case of outbound svchost connections to port 123, if the destination IP is known to have a NTP server running it is likely to be a legitimate request.

On the other hand, IMHO Inbound connections to Svchost from an Internet IP (like should be better blocked even more if the Inbound connection targets ports 135,137,138,139, 445 or some other ports opened by potentially vulnerable (and often exploited) windows services

Hi Triplex,

I’m Dave of Team Cymru. Thanks for noticing our probes =)

As user Creasy has pointed out, what you’ve seen is a visit by our NTP probe. We’re constantly working to better understand the Internet as a whole. As a result, we sometimes do sweeping assessments of the public Internet. This scan isn’t looking for anything other listening, publicly accessible NTP servers.

While our scan isn’t malicious, we certainly encourage you to follow network security best practice and only allow traffic from known hosts on the Internet.

If you have any other questions, feel free to shoot me an IM, or mail us at team-cymru[at]


Safest bet is to set Svchost as outbound only.

I dont think so. Maybe only NTP and DNS (udp 53) for those who didnt disable the DNS service but no more. You can download updates for windows on their site

What’s up Dave.

I guess yall like me cause last night you “scanned” me 5 times in a duration of 10 minutes scanning 4 different ports.