Starting September 9th, this IP Blocklist rule started dropping thousands of outgoing packets per day. Most of the IPs being dropped are from *..bc.googleusercontent.com. I questioned a few users whose IPs were the source and they aren’t noticing any issues with websites not loading, etc. I’m guessing these are for some sort of Google ad services? Has anyone else noticed this in their firewall? Here’s a screenshot from today, which we are only halfway through in our timezone and already have over 58000 dropped packets.
I have a second IPFire protecting the guest network and I checked it. Same issue, since most of the devices on this network are mobile, the source IPs that I found attempting outbound connections were iPhones. Just trying to figure out if this is legit malicious, or false positive. On the guest firewall, it also started on September 9th. Prior to this date, there was a consistent zero packets dropped on this blocklist on outbound traffic.
I have seen the same. Looks like false positives to me.
They appear to be githubusercontent.com via Fastly addresses which Github uses to serve legitimate traffic. Given the nature of Github the addresses might have done something bad in the past and got caught in this list.
I’ve reported the false positives to Threatview.
Thanks.
A G
2 Likes
I concur that I see the same issue, especially in the last 36h I have been driven nuts with a large number of connections timing out on my network.
I eventually realised it was Threatview blocking a number of Google IP addresses severely affecting use of google platform apps.
I have disabled it and now everything is back to normal.
This morning I see 8.8.8.8 (Google DNS) being blocked. We don’t use Google DNS, so it is curious.
Some android devices use it as “private DNS” (or DoH)
1 Like
I noticed that 8.8.8.8 was included in the IP Blocklist too. A lot of devices have Google’s DNS server baked in even if not explicitly set.
I would disable the blocklist for now.
Thanks,
A G
1 Like
In case of using Firefox - that may cause these hits as well.
