Background connection to the US military on IP 55.65.117.34
Hi. I found the IP 55.65.117.34 in a 'netstat -a' result last night on my Linux computer while I was doing a port scan. There were 2 instances of the following connection on different ports, which appear whenever Firefox is started and remain active for some considerable time after it is closed: '55.65.117.34.bc.g:https ESTABLISHED'
I ran the IP through a number of IP look-up sites and got the same relevant results from each.
IP Look-up results: IP Address: 55.65.117.34 ASN: 331 City: Fort Huachuca State/Region: Arizona Country: United States of America Postal Code: 85613 ISP: Headquarters USAISC (US Army Information Systems Center - Fort Huachuca, AZ, USA). 'DoD Network Information Center'. (The above domain registration includes a '.mil' (military) E-mail address)
Please can you explain:
- why a connection to the US military is being established without my knowledge,
- what the purpose of the connection is and what, if any, data has been gathered,
- how long this has been going on,
- how I go about preventing it occurring in the future.
Until these questions are answered to my satisfaction I will be using Brave browser.
Kind regards.
Alle antwoorden (4)
If you run netstat -aW you will see that the domain is "googleusercontent". IP lookup can be misleading, the addresses could be owned by DoD but used by Google data centers since there is a lack of IPv4 real estate.
You may want to reduce your dependency on Google services but It is very difficult to avoid their servers entirely, as they are widely used across many websites, apps and devices.
If you are concerned, it would be preferable to reduce remote connections, install arkenfox hardened settings or use a Firefox-based fork like LibreWolf or Mullvad, rather than switching to a Google-derived browser.
"netstat -a" returns (truncated) host names, not IP addresses. For the reasons that follow, the military IP address is not the relevant address.
You saw a truncated host name which cut off after 17 characters for some reason:
55.65.117.34.bc.g:https ESTABLISHED
As mentioned by zeroknight, the full host name is
55.65.117.34.bc.googleusercontent.com:https ESTABLISHED
When you nslookup the full host name, the IP address associated with that host is
34.117.65.55
(The order of the octets in the IP address is reversed in the host name.)
To confirm, run "netstat -an" (the n switches from host names to IP addresses).
(Note for Windows users: to list the executable associated with the connection, run cmd.exe as administrator and use "netstat -b" or "netstat -bn")
Thanks for that feedback. I think I should have realised something like that from the seven domain IPs ending with 34 that are connected to on start-up. Perhaps you can shed some light onto why 55.65.117.34.bc.googleusercontent.com and the others are established whenever Firefox is started, even when I set my home-page to a blank HTML file from my PC that makes no external calls whatsoever and Firfeox opens in Troubleshooting mode (all extensions disabled). Firefox makes this call every time I run it and it remains established throughout the session. What is the purpose of establishing this connection?
Also, with the same conditions stated above, immediately after Firefox starts, the following connections are established, though all but 55.65.117.34.bc.googleusercontent.com soon disappear.
tcp 0 0 STA1:36392 53.121.117.34.bc.googleusercontent.com:https ESTABLISHED tcp 0 0 STA1:54918 a104-110-191-185.deploy.static.akamaitechnologies.com:http TIME_WAIT tcp 0 0 STA1:54686 191.144.160.34.bc.googleusercontent.com:https ESTABLISHED tcp 0 0 STA1:38654 82.221.107.34.bc.googleusercontent.com:http ESTABLISHED tcp 0 0 STA1:43406 209.100.149.34.bc.googleusercontent.com:https ESTABLISHED tcp 0 0 STA1:38650 82.221.107.34.bc.googleusercontent.com:http ESTABLISHED tcp 0 0 STA1:50206 55.65.117.34.bc.googleusercontent.com:https ESTABLISHED tcp 0 0 STA1:35458 a104-110-191-177.deploy.static.akamaitechnologies.com:http ESTABLISHED tcp 0 0 STA1:50214 55.65.117.34.bc.googleusercontent.com:https ESTABLISHED
Confused!
I believe that Brave browser proxies these and all background Google connections as standard for added security/privacy/protection.
A persistent connection is required for web push notifications. You can see all the different types of connections detailed in the article How to stop Firefox from making automatic connections. The privacy-oriented Firefox forks LibreWolf and Mullvad are pre-configured for minimal connections.