Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, May 8, 2013

The extra google domains

What is 1e100.net?
1e100.net is a Google-owned domain name used to identify the servers in our network.
Following standard industry practice, we make sure each IP address has a corresponding hostname. In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as youtube.com, blogger.com, and google.com. We did this for two reasons: first, to keep things simpler, and second, to proactively improve security by protecting against potential threats such as cross-site scripting attacks.
Most typical Internet users will never see 1e100.net, but we picked a Googley name for it just in case (1e100 is scientific notation for 1 googol).

http://lel00.net/
http://lel00.net/1e100.net/google-story-1e100
The Google story of 1e100
What is the secret behind 1e100? Why is Google associated with 1e100.net? Why such a wierd name "1e100"?
We represent 10 power or 10 raised to any number as 'e' followed by that number. Now, 1 e 100 means 10 100 or 1 * 10 ^ 100 or 1 followed by 100 zeros after it. When our internet giants Larry Page and Sergey Brin wanted to name their company, they thought of a name that would mean a number as large as 1 followed by 100 zeros. But, due a mishap, may a communication gap, the company was mistakenly registered or named as Google.
A googol is the large number 10 100, that is, the digit 1 followed by one hundred zeros in decimal representation. The term was coined in 1938 by Milton Sirotta (1929 - 1980), nephew of American mathematician Edward Kasner, when he was nine years old. Kasner popularized the concept in his book Mathematics and the Imagination. In binary it would take up 333 bits. A googol has no particular significance in mathematics, but is useful when comparing with other very large quantities such as the number of subatomic particles in the visible universe or the number of possible chess games. Edward Kasner created it to illustrate the difference between an unimaginably large number and infinity, and in this role it is sometimes used in teaching mathematics.
1 googol = 1*10 100 that is 1 e 100 or 1 ^ 100
================
http://www.pcmech.com/article/the-mysterious-1e100-net/
For those of you who watch their incoming/outgoing internet connections closely, you may have noticed the domain 1e100.net pop up periodically for seemingly no reason, and in some instances you may have a persistent connection to it – even as soon as you start your computer.
What is 1e100.net? It’s Google. A WHOIS lookup for that domain reveals it’s owned by them.
Why would Google use an "weird" domain name like 1e100.net? It’s symbolic of a googol(10×10^100) which is where Google gets its name from.
Being that most people aren’t aware of this, the first reaction upon seeing this in a network management program, such as a software-based firewall, is to block it because they don’t know what it is. It further freaks people out if it shows up as a persistent connection that they can’t get rid of.
The 1e100.net domain will never show up by itself. It will always be a subdomain such as server-name.1e100.net.
Instances where you will see the 1e100.net connection
(By "see" I mean literally seeing this from a network utility that can closely monitor all network requests.)
Any web page that has embedded YouTube video
For YouTube itself (a Google property) or any other web site that has a YouTube video embedded in it, 1e100.net will show up even if the video isn’t loaded. When the Flash player first launches it makes a request to YouTube for the video thumbnail image and therefore requests 1e100.net for that data.
Firefox "safe browsing"This feature by default is enabled and uses a Google server to check web sites you load to see if they’re in the "bad" list.
This is located from Tools / Options / Security:
image
The two checkboxes "Block reported attack sites" and "Block reported web forgeries" enable Firefox to check every single web site you load against the "bad" list Google has.
Uncheck these two boxes if you don’t want where you surf to be checked against the Google list.
If you want to see the actual configuration data for this, load the address about:config in Firefox, then search for safebrowsing, like this:

You don’t have to necessarily do anything here, but if you wanted to know "How much Google is in my Firefox?", there’s your answer.
Google Earth / Google UpdaterBoth Earth and Updater (which Earth installs by default) will make connections to 1e100.net to check for updates.
You can instruct Updater not to do that if so desired.
Other places?
As far as I’m aware, the three above instances are where you will see 1e100.net appear. Now that you’re aware what it is and its purpose, you now know it’s not spyware or malware. It’s Google. Using a weird domain because.. um.. well.. it’s a really long (but not really) story and we’ll leave it at that
=======================
http://www.dslreports.com/forum/r23220163-persistent-connection-to-qwinf1131e100net-on-boot
[...]
A normal application will show its properties, but TCPView will not show the properties for a System process:



--------------------

C:\>nslookup yh-in-f120
Servidor:  resolver1.opendns.com
Address:  208.67.222.222
Respuesta no autoritativa:
Nombre:  yh-in-f120
Address:  67.215.65.132

C:\>nslookup yh-in-f95
Servidor:  resolver1.opendns.com
Address:  208.67.222.222
Respuesta no autoritativa:
Nombre:  yh-in-f95
Address:  67.215.65.132


C:\>nslookup  64.74.103.179
Servidor:  resolver1.opendns.com
Address:  208.67.222.222
*** resolver1.opendns.com no encuentra 64.74.103.179: Non-existent domain
--------------------


I already suggested Process Explorer. It sees all and tells all.


If you walk the process trees, you can find out about all active processes including any network sessions.
-----------------------------
This persistent connection was driving me crazy. Online Armour (firewall) reported the persistent connections as coming from Avast! (antivirus). However, the source was from Firefox. I guess since the antivirus is hooked into the http traffic, that's how it goes out.

ashWebSv.exe/TCP to qw-in-f113.1e100.net:http. I also see qw-in-f102.1e100.net:http, iad04s01-in-f147.1e100.net:http.

I did some quick research and found that this persistent connection is from Firefox's safe browsing feature. The Mysterious 1e100.net

I unchecked the "Block reported attack sites" and "Block reported web forgeries" choices in the Security tab and most of the persistent connections went away.

In Firefox, do about:config and filter on safebrowsing to see how what Firefox is doing.

Interesting that Thunderbird also connects to 1e100.net when it checks for new mail from my gmail account (Google, smtp.gmail.com is what I entered):

Thunderbird.exe/TCP to qy-in-f109.1e100.net:pop3s

Google is everywhere. Typing text in the search engine box (Google is default) fires up those persistent connections. httpFox showed queries to suggestqueries.google.com.
===============

In order to get more useful output, you need to use some parameters for netstat as explained in the documentation:
netstat -a -n -o
  • -a will include ports in state LISTENING,
  • -n will show the real ip-addresses instead of the DNS reverse lookup.
  • -o win include the process id (use the Windows Task manager to look it up).
Please keep in mind that in case your computer got infected, you cannot trust the output of netstat as the malicious program might have manipulated it.

==============

No comments: