Constant googeusercontent hits

jeffschips · July 24, 2021, 6:21pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

trying to track down origin of these hits listed below when using tcpdump

-operating system
Ubuntu 20.04

Actual Behaviour:

logs of hits against googleusercontent

Debug Token:

Hello, I know this may be off topic, but I do believe it has some import to pihole.

When I run tcpdump against my local computer's network interface I see a lot of hits against googleusercontent as listed in the below sample.

Searching the internet I see conflicting information about googleusercontent - some reports that these are individual users who have setup servers and some state no, these are legitimate google.com servers serving adds or images.

Blocking in pihole (\.|^)googleusercontent\.com$ still shows hits and I guess my question here is can anyone tell from these hits if they are indeed valid google.com servers or indeed hosted accounts on googleusercontent servers. If the latter then it would seem that some script or malicous code may be running somewhere on my system.

14:10:49.689904 IP desktop-pc7.34690 > 0.xxx.244.35.bc.googleusercontent.com.https: Flags [P.], seq 518:582, ack 4683, win 501, options [nop,nop,TS val 4206362964 ecr 339742504], length 64

14:10:49.690740 IP desktop-pc7.34690 > 0.xxx.244.35.bc.googleusercontent.com.https: Flags [P.], seq 582:752, ack 4683, win 501, options [nop,nop,TS val 4206362965 ecr 339742504], length 170

14:10:49.690785 IP desktop-pc7.34690 > 0.xxx.244.35.bc.googleusercontent.com.https: Flags [P.], seq 752:1454, ack 4683, win 501, options [nop,nop,TS val 4206362965 ecr 339742504], length 702

DL6ER · July 24, 2021, 8:19pm

Not using tcpdump but you can use either strace or even a separated network namespace to track which application is causing these lookups:

You could also try to install bpfcc-tools and use the tool tcptracer-bpfcc to get connections per process. This may reveal what you want to know.

jeffschips · July 24, 2021, 11:07pm

@dl6er that is exactly the information I was looking for! Thank you. Thank you!

jeffschips · July 25, 2021, 4:50pm

So what I'm seeing using just the regular tcpdump are connections like the following. I've managed to block these using a filter in my router which speeds up page loading significantly - like almost instantaneous results whereas before it took longer. So there is something going on with these googleusercontent connections and eliminating them speeds up page loads significantly. Unfortunately googleusercontent keeps changing the ip address so it's a game of wack-a-mole.

I'm wondering if others are seeing these kind of packet exchanges when using Firefox. If you have tcpdump it's easy just run a command like the following in a root terminal:

tcpdump -i [enter interface id without brackets here] -p | grep googleusercontent

Be curious if others are seeing connections to googleusercontent

Here is an example of the output I'm receiving:

12:44:44.778940 IP desktop.37178 > xx.xxx.xxx.xx.bc.googleusercontent.com.http: Flags [S], seq 618018264, win 64240, options [mss 1460,sackOK,TS val 3391830120 ecr 0,nop,wscale 7], length 0

system · August 15, 2021, 4:50pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.