question about legit google connections, chrome-unstable
537 views
Skip to first unread message
Alex fxmbsw7 Ratchev
Mar 30, 2022, 2:07:40 PM3/30/22
to Chromium-discuss
i ve seen, on another user, suspicious hacker bad configured ssl connections, on firefox
so i checked mine
so i checked mine
it lists again some weird domains, are they associated to google like what search or sync
i had only gmail open in it
plz advise
lsof -ni
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1495 root 3u IPv4 20263 0t0 TCP *:ssh (LISTEN)
sshd 1495 root 4u IPv6 20265 0t0 TCP *:ssh (LISTEN)
telegram- 1636 xmb 35u IPv4 22691 0t0 TCP 192.168.239.97:54352->149.154.167.92:https (ESTABLISHED)
dhclient 2153 root 9u IPv4 22599 0t0 UDP *:bootpc
chrome 9670 xmb 162u IPv4 121742 0t0 UDP 224.0.0.251:mdns
chrome 9712 xmb 30u IPv4 125395 0t0 UDP 192.168.239.97:32981->216.58.214.3:https
chrome 9712 xmb 31u IPv4 125402 0t0 UDP 192.168.239.97:33839->172.217.168.10:https
chrome 9712 xmb 32u IPv4 125403 0t0 UDP 192.168.239.97:52834->172.217.168.67:https
chrome 9712 xmb 35u IPv4 118586 0t0 TCP 192.168.239.97:34930->172.217.168.37:https (ESTABLISHED)
chrome 9712 xmb 37u IPv4 118710 0t0 TCP 192.168.239.97:56138->216.58.215.234:https (ESTABLISHED)
chrome 9712 xmb 41u IPv4 120756 0t0 UDP 192.168.239.97:54186->142.250.203.99:https
chrome 9712 xmb 43u IPv4 118588 0t0 UDP 192.168.239.97:37339->142.250.203.110:https
chrome 9712 xmb 44u IPv4 118709 0t0 TCP 192.168.239.97:56136->216.58.215.234:https (ESTABLISHED)
chrome 9712 xmb 50u IPv4 121577 0t0 UDP 192.168.239.97:60887->108.177.127.189:https
chrome 9712 xmb 61u IPv4 120428 0t0 TCP 192.168.239.97:48016->108.177.119.188:5228 (ESTABLISHED)
chrome 9712 xmb 62u IPv4 118645 0t0 UDP 192.168.239.97:43286->172.217.168.74:https
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1495 root 3u IPv4 20263 0t0 TCP *:ssh (LISTEN)
sshd 1495 root 4u IPv6 20265 0t0 TCP *:ssh (LISTEN)
telegram- 1636 xmb 35u IPv4 22691 0t0 TCP 192.168.239.97:54352->149.154.167.92:https (ESTABLISHED)
dhclient 2153 root 9u IPv4 22599 0t0 UDP *:bootpc
chrome 9670 xmb 162u IPv4 121742 0t0 UDP 224.0.0.251:mdns
chrome 9712 xmb 30u IPv4 125395 0t0 UDP 192.168.239.97:32981->216.58.214.3:https
chrome 9712 xmb 31u IPv4 125402 0t0 UDP 192.168.239.97:33839->172.217.168.10:https
chrome 9712 xmb 32u IPv4 125403 0t0 UDP 192.168.239.97:52834->172.217.168.67:https
chrome 9712 xmb 35u IPv4 118586 0t0 TCP 192.168.239.97:34930->172.217.168.37:https (ESTABLISHED)
chrome 9712 xmb 37u IPv4 118710 0t0 TCP 192.168.239.97:56138->216.58.215.234:https (ESTABLISHED)
chrome 9712 xmb 41u IPv4 120756 0t0 UDP 192.168.239.97:54186->142.250.203.99:https
chrome 9712 xmb 43u IPv4 118588 0t0 UDP 192.168.239.97:37339->142.250.203.110:https
chrome 9712 xmb 44u IPv4 118709 0t0 TCP 192.168.239.97:56136->216.58.215.234:https (ESTABLISHED)
chrome 9712 xmb 50u IPv4 121577 0t0 UDP 192.168.239.97:60887->108.177.127.189:https
chrome 9712 xmb 61u IPv4 120428 0t0 TCP 192.168.239.97:48016->108.177.119.188:5228 (ESTABLISHED)
chrome 9712 xmb 62u IPv4 118645 0t0 UDP 192.168.239.97:43286->172.217.168.74:https
lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1495 root 3u IPv4 20263 0t0 TCP *:ssh (LISTEN)
sshd 1495 root 4u IPv6 20265 0t0 TCP *:ssh (LISTEN)
telegram- 1636 xmb 35u IPv4 22691 0t0 TCP 192.168.239.97:54352->149.154.167.92:https (ESTABLISHED)
dhclient 2153 root 9u IPv4 22599 0t0 UDP *:bootpc
chrome 9670 xmb 162u IPv4 121742 0t0 UDP 224.0.0.251:mdns
chrome 9712 xmb 34u IPv4 128501 0t0 TCP 192.168.239.97:50168->en-in-f138.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 35u IPv4 118586 0t0 TCP 192.168.239.97:34930->zrh04s14-in-f5.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 40u IPv4 130111 0t0 UDP 192.168.239.97:34908->zrh11s03-in-f10.1e100.net:https
chrome 9712 xmb 41u IPv4 130109 0t0 UDP 192.168.239.97:49151->zrh04s16-in-f3.1e100.net:https
chrome 9712 xmb 42u IPv4 130104 0t0 TCP 192.168.239.97:55352->zrh04s14-in-f3.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 43u IPv4 118588 0t0 UDP 192.168.239.97:37339->zrh04s16-in-f14.1e100.net:https
chrome 9712 xmb 50u IPv4 121577 0t0 UDP 192.168.239.97:60887->el-in-f189.1e100.net:https
chrome 9712 xmb 57u IPv4 125452 0t0 TCP 192.168.239.97:55048->zrh04s15-in-f14.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 61u IPv4 120428 0t0 TCP 192.168.239.97:48016->ei-in-f188.1e100.net:5228 (ESTABLISHED)
chrome 9712 xmb 62u IPv4 118645 0t0 UDP 192.168.239.97:43286->zrh04s15-in-f10.1e100.net:https
chrome 9712 xmb 64u IPv4 119558 0t0 TCP 192.168.239.97:56622->zrh04s16-in-f10.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 69u IPv4 128491 0t0 TCP 192.168.239.97:39054->199.36.158.100:https (ESTABLISHED)
chrome 9712 xmb 70u IPv4 128492 0t0 TCP 192.168.239.97:55050->zrh04s15-in-f14.1e100.net:https (ESTABLISHED)
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1495 root 3u IPv4 20263 0t0 TCP *:ssh (LISTEN)
sshd 1495 root 4u IPv6 20265 0t0 TCP *:ssh (LISTEN)
telegram- 1636 xmb 35u IPv4 22691 0t0 TCP 192.168.239.97:54352->149.154.167.92:https (ESTABLISHED)
dhclient 2153 root 9u IPv4 22599 0t0 UDP *:bootpc
chrome 9670 xmb 162u IPv4 121742 0t0 UDP 224.0.0.251:mdns
chrome 9712 xmb 34u IPv4 128501 0t0 TCP 192.168.239.97:50168->en-in-f138.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 35u IPv4 118586 0t0 TCP 192.168.239.97:34930->zrh04s14-in-f5.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 40u IPv4 130111 0t0 UDP 192.168.239.97:34908->zrh11s03-in-f10.1e100.net:https
chrome 9712 xmb 41u IPv4 130109 0t0 UDP 192.168.239.97:49151->zrh04s16-in-f3.1e100.net:https
chrome 9712 xmb 42u IPv4 130104 0t0 TCP 192.168.239.97:55352->zrh04s14-in-f3.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 43u IPv4 118588 0t0 UDP 192.168.239.97:37339->zrh04s16-in-f14.1e100.net:https
chrome 9712 xmb 50u IPv4 121577 0t0 UDP 192.168.239.97:60887->el-in-f189.1e100.net:https
chrome 9712 xmb 57u IPv4 125452 0t0 TCP 192.168.239.97:55048->zrh04s15-in-f14.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 61u IPv4 120428 0t0 TCP 192.168.239.97:48016->ei-in-f188.1e100.net:5228 (ESTABLISHED)
chrome 9712 xmb 62u IPv4 118645 0t0 UDP 192.168.239.97:43286->zrh04s15-in-f10.1e100.net:https
chrome 9712 xmb 64u IPv4 119558 0t0 TCP 192.168.239.97:56622->zrh04s16-in-f10.1e100.net:https (ESTABLISHED)
chrome 9712 xmb 69u IPv4 128491 0t0 TCP 192.168.239.97:39054->199.36.158.100:https (ESTABLISHED)
chrome 9712 xmb 70u IPv4 128492 0t0 TCP 192.168.239.97:55050->zrh04s15-in-f14.1e100.net:https (ESTABLISHED)
Joe Mason
Mar 31, 2022, 5:05:43 PM3/31/22
to fxm...@gmail.com, Chromium-discuss
A search for 1e100.net returns https://support.google.com/faqs/answer/174717:
1e100.net is a Google-owned domain name used to identify the servers in our network.
...
Most typical Internet users will never see 1e100.net, but we picked a Googley name for it just in case (1e100 is scientific notation for 1 googol).
Many of the connections from Chrome will of course be created from web pages, but there are some hard-coded in the source to connect to Google servers, like search and sync as you say. All of those should be documented with NetworkTrafficAnnotation tags, which are documented here: https://chromium.googlesource.com/chromium/src.git/+/HEAD/docs/network_traffic_annotations.md
network_time_tracker.cc is a good example of how this works (https://source.chromium.org/chromium/chromium/src/+/main:components/network_time/network_time_tracker.cc): the time server that responds to network time requests is defined in a constant as "http://clients2.google.com/time/1/current". That's stored in a variable "server_url_", so it can be overridden in tests, and then farther down where `server_url_` is used to create a request object, there's a block of text inside "net::DefineNetworkTrafficAnnotation" that describes exactly what this request is for.
I'm not sure how the 1e100.net names work, but I think they're aliases for the same servers that have names like "clients2.google.com" publicly. So when chrome connects to clients2.google.com, DNS is converting the hostname to an IP address, and the your "lsof" command is converting the IP address back to a hostname and choosing something.1e100.net instead of clients2.google.com for some reason.
At least that's my guess. Hope this helps!
--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss
Torne (Richard Coles)
Mar 31, 2022, 5:11:03 PM3/31/22
to Joe Mason, fxm...@gmail.com, Chromium-discuss
On Thu, 31 Mar 2022 at 17:05, 'Joe Mason' via Chromium-discuss <chromium...@chromium.org> wrote:
A search for 1e100.net returns https://support.google.com/faqs/answer/174717:1e100.net is a Google-owned domain name used to identify the servers in our network.
...
Most typical Internet users will never see 1e100.net, but we picked a Googley name for it just in case (1e100 is scientific notation for 1 googol).
Many of the connections from Chrome will of course be created from web pages, but there are some hard-coded in the source to connect to Google servers, like search and sync as you say. All of those should be documented with NetworkTrafficAnnotation tags, which are documented here: https://chromium.googlesource.com/chromium/src.git/+/HEAD/docs/network_traffic_annotations.mdnetwork_time_tracker.cc is a good example of how this works (https://source.chromium.org/chromium/chromium/src/+/main:components/network_time/network_time_tracker.cc): the time server that responds to network time requests is defined in a constant as "http://clients2.google.com/time/1/current". That's stored in a variable "server_url_", so it can be overridden in tests, and then farther down where `server_url_` is used to create a request object, there's a block of text inside "net::DefineNetworkTrafficAnnotation" that describes exactly what this request is for.I'm not sure how the 1e100.net names work, but I think they're aliases for the same servers that have names like "clients2.google.com" publicly. So when chrome connects to clients2.google.com, DNS is converting the hostname to an IP address, and the your "lsof" command is converting the IP address back to a hostname and choosing something.1e100.net instead of clients2.google.com for some reason.
Reverse DNS lookups are usually expected to resolve to a hostname that will resolve back to that same IP, so returning general aliases like this that may map to many different IPs is not normal (and there are quite probably many different aliases that could all resolve to that IP). So, yeah, you get back some not-meaningful-outside-of-google hostname that refers to the specific IP that the connection was actually handled by; there's no way for lsof/netstat/etc to know what the original DNS name that was used to connect to the host was, because that's not part of the data the kernel stores about the connection.
Alex fxmbsw7 Ratchev
Apr 1, 2022, 7:33:10 PM4/1/22
to Joe Mason, Chromium-discuss
On Thu, Mar 31, 2022 at 11:05 PM Joe Mason <joenot...@google.com> wrote:
A search for 1e100.net returns https://support.google.com/faqs/answer/174717:1e100.net is a Google-owned domain name used to identify the servers in our network.
...
thank you !
Reply all
Reply to author
Forward
0 new messages