Weird Traffic from Google?

The other day I was monitoring a port (tcpdump -i xxxxx 'port 80') on a machine in my network and some strange traffic showed up.  There is very little activity on this machine as it was just recently set up to be a NIDS machine utilizing snort.  Only browser in use was Firefox.

Some strange traffic showed up on the port.  I wanted to investigate the cause.  The picture below shows the traffic.


For no apparent reason this machine received traffic from:


"156.99.224.35.bc.googleusercontent.com.http".


After some light googling I came across this site [1] that proposed a couple options.  The one that peaked my interest and was most feasible was webcrawlers.  But why? Why this seemingly random machine?  I have it connected to the internet, but then again I have a lot of devices connected to the internet.  Are all devices on my network receiving this kind of traffic?  I am intrigued.

A quick "dig" and "whois" and I found that the traffic originated from St. Paul Minnesota.

This is getting interesting now.

I continue looking for a source of this strange traffic.  I bring up another favourite tool robtex.com

I found the solution!  Sadly my initial thoughts were wrong, there was no nefarious plot by google to analyze my network and spy on me. (Too much Mr.Robot for me).  Turns out it was all my fault. 

Here is what I found.

156.99.224.35.bc.googleusercontent.com is a PTR record [2] ( A DNS record that resolves an IP address to a domain or host name).  The address it is pointing to revealed what was going on.



It turns out that my machine was doing a connectivity check back to canonical.  I had completely forgotten that when I initially set up this OS I had (for some unknown reason) selected/left this setting on.  My machine was calling back to the mother ship!

I actually do not want this setting on.  So I turned it off.

If you want to turn this feature off in Ubuntu follow these instructions:

Navigate to this folder as a user with appropriate permissions.
/var/lib/NetworkManager/NetworkManager-intern.conf

and change

[connectivity]
.set.enabled=true

to

[connectivity]
.set.enabled=false

This activity was fun.  You can learn a ton from just from observing what is happening on your network.  I had a machine that was receiving packets from somewhere else.  I wasn't sure what it was, or where it was from but with some careful digging the solution was found!

Hope you enjoyed.


Andrew Campbell

Reference:



Comments

Popular Posts