A bunch of random outgoing ports

Browser Support Desktop Support
1

Description of the issue:
A lot of random outgoing ports to various IPs is happening when I’m opening Brave. I’m wondering if this would be a security concern or it’s normal. Aside from 80,443, and 53, I don’t really see why other ports would need to be outgoing. If it was using DNS I’d be less concerned. Would it have something to do with the SYNC or Wallet feature? I’ve counted over 20 different non-standard ports outgoing to over 20 different raw IPs.

How can this issue be reproduced?
Use a hostbased firewall that prompts for ingoing and outgoing connection approval. On Macosx I’m using Little Snitch for my firewall.

Expected result:
All traffic using 80,443, or 53 using DNS destinations.
Brave Version( check About Brave):
1.52.117

Additional Information:

1 Like
2

80/443 = Web and 53 is DNS requests. Seems safe to be honest? Brave will check for browser
and component updates (on load, and randomly during usage). Restoring any pages session on load will also initiate ports being used.

Some extensions will also initiate checks.

3

Let’s make things simplier… I’ve been a GNU Linux admin for over a decade. I know tech. I’ve turned off all the extenstions and it’s still doing it. I’m not using the TOR private tab for it to be TOR connections. You can check the JSON formatted rules for Little Snitch at https://raw.githubusercontent.com/boydhako/Little_Snitch-Rule_Groups/master/brave.lsrules.txt.

Most of it is outgoing to port 4001 to vultrusercontent.com and contaboserver.net when doing reverse DNS lookups. I can’t find any trusted or confident sources that have anything about those sites.

On top of that, why are there outbound connections to the ports below? It’s a “Web” Browser. It should only be sending outgoing to 80,443, and maybe 53.

This starting to go into “Is Brave Browser really safe?” bucket.

4001
4002
5228
7001
7794
9001
18658
19272
19772
22733
23314
23831
23930
24621
26397
26711
27198
27815
28530
34366
36585
38519
46052
46898
47750
52149
55049
55956
60766
61600
65017
2 Likes
4

https://www.google.com/search?q=vultrusercontent.com+malware

I suspect something is making the ip calls through the browser. Brave itself isn’t the issue, the extension/malware? is.

5

As I said before, I disabled all the extensions.

So, either Brave has malware embedded in it or disabling extensions doesn’t actually disable them.

1 Like
6

I think it might have something to do with that “Snowflake” setting for TOR.

1 Like
7

“its a web browser” dude im saying this is drving me nuts… because I did have malware so identifying what is and what is not on my network has … been too much.

1 Like
8

I’ve confirmed it’s the the “Snowflake” setting in the TOR section. I think it turns the browser into an Exit Node. Which is kind of beep thing to do without mentioning it.

2 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.