Brave (linux) makes constant UDP :443 connections to Google

Description of the issue:
No matter what Brave is or isn’t doing (I can load it on a basic website using only html, no scripts that has a single IP) as long as I am connected to the internet it opens numerous UDP connections on port 443 to either Google data services or, less commonly, AWS. Blocking these IPs with the firewall just causes it to open new ones to other Google registered IPs or less commonly Amazon registered IPs. The overwhelming majority of these IPs are clean and have no history I can find on the net. A very small % of them do have the occasional single report of a phishing scam or the like if I search hard enough, but it is so low those could easily be misreports. Maybe those aren’t actually Google or Amazon so much as those are the hosts of whatever is happening here?

Below are some of the connections at the moment as I write this. The perplexing ones are those udp ones at the bottom (what are those doing?) but all of the tcp ones at the top that don’t also match a udp one at the bottom can be accounted for by normal website activity on Brave at the moment

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    

... [skipping lots of other non-brave connections here]

tcp        0      0 10.225.10.247:49118     142.250.81.234:443      ESTABLISHED 1000       3995190    2012/brave --type=u 
tcp        0      0 10.225.10.247:58460     104.18.39.38:443        ESTABLISHED 1000       3988908    2012/brave --type=u 
tcp        0      0 10.225.10.247:53698     13.249.190.60:443       ESTABLISHED 1000       3995183    2012/brave --type=u 
tcp        0      0 10.225.10.247:42454     65.8.19.110:443         ESTABLISHED 1000       3995187    2012/brave --type=u 
tcp        0      0 10.225.10.247:53684     13.249.190.60:443       ESTABLISHED 1000       3995182    2012/brave --type=u 
tcp        0      0 10.225.10.247:53680     13.249.190.60:443       ESTABLISHED 1000       3995181    2012/brave --type=u 
tcp        0      0 10.225.10.247:39634     52.111.239.33:443       ESTABLISHED 1000       3925971    2012/brave --type=u 
tcp        0      0 10.225.10.247:42458     65.8.19.110:443         ESTABLISHED 1000       3995188    2012/brave --type=u 
tcp        0      0 10.225.10.247:42426     65.8.19.110:443         ESTABLISHED 1000       3995184    2012/brave --type=u 
tcp        0      0 10.225.10.247:57450     184.105.99.43:443       ESTABLISHED 1000       3997591    2012/brave --type=u 
tcp6       0      0 ::1:631                 :::*                    LISTEN      0          2892575    147603/cupsd        
udp        0      0 10.225.10.247:40241     65.8.19.110:443         ESTABLISHED 1000       3995191    2012/brave --type=u 
udp        0      0 10.225.10.247:40259     142.251.35.170:443      ESTABLISHED 1000       3997956    2012/brave --type=u 
udp        0      0 10.225.10.247:57165     142.250.72.106:443      ESTABLISHED 1000       3997988    2012/brave --type=u 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           101        2568984    127581/systemd-reso 
udp        0      0 10.225.10.247:68        10.225.0.3:67           ESTABLISHED 0          3931543    923/NetworkManager  
udp        0      0 0.0.0.0:631             0.0.0.0:*                           0          2895607    147604/cups-browsed 
udp        0      0 10.225.10.247:50476     142.250.65.163:443      ESTABLISHED 1000       3981970    2012/brave --type=u 
udp        0      0 10.225.10.247:43033     142.250.65.163:443      ESTABLISHED 1000       3981971    2012/brave --type=u 
udp        0      0 10.225.10.247:59707     142.251.35.170:443      ESTABLISHED 1000       3993356    2012/brave --type=u 
udp        0      0 10.225.10.247:52854     142.250.80.67:443       ESTABLISHED 1000       4001195    2012/brave --type=u 
udp        0      0 10.225.10.247:36589     13.249.190.60:443       ESTABLISHED 1000       4001196    2012/brave --type=u 
udp        0      0 10.225.10.247:53634     142.251.40.174:443      ESTABLISHED 1000       3941306    2012/brave --type=u 
udp        0      0 224.0.0.251:5353        0.0.0.0:*                           1000       53164      2012/brave --type=u 
udp        0      0 224.0.0.251:5353        0.0.0.0:*                           1000       60523      2012/brave --type=u 
udp        0      0 10.225.10.247:39830     142.250.81.234:443      ESTABLISHED 1000       3995177    2012/brave --type=u

EDIT 1 The above code block won’t show the full width of what I pasted in there when viewed on Brave (see exact build below) on linux (distro notes below) nor will it let me scroll left or right to see all of the code block like a truncated code block should. No matter how wide I make the window the last categories here, which is important as it show which program is corresponds to each connection and some of these above aren’t Brave, are cut off and thus unreadable. Also I am seeing the above code block spill out of the little gray area designed for it, and overlap the text below (i.e. now the top of this “EDIT 1:” paragraph) I assume I did something wrong because it would be weird and sad for this page to not work correctly on Brave. END OF EDIT 1

For the most part Brave is only listening to any one of these IPs, but it has bursts of activity on each one. Here is an example of me applying tcpdump to one of them, it sat there for a number of minutes and then started flopping out the below in rapid succession until I suspended. I was doing nothing on the net at the time, just waiting to see what would happen. That said I did have a large number of sites open in the background so there probably were numerous scripts running, but none of them were on pages that corresponded to this IP address:

~$ sudo tcpdump host 142.251.35.170
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp59s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:51:32.103900 IP lga25s78-in-f10.1e100.net.https > [computer].36041: UDP, length 162
12:51:32.103900 IP lga25s78-in-f10.1e100.net.https > [computer].36041: UDP, length 23
12:51:32.107088 IP [computer].36041 > lga25s78-in-f10.1e100.net.https: UDP, length 33
12:51:32.115219 IP [computer].37320 > lga25s78-in-f10.1e100.net.https: UDP, length 241
12:51:32.124228 IP lga25s78-in-f10.1e100.net.https > [computer].37320: UDP, length 27
12:51:32.137883 IP lga25s78-in-f10.1e100.net.https > [computer].37320: UDP, length 67
12:51:32.137883 IP lga25s78-in-f10.1e100.net.https > [computer].37320: UDP, length 21
12:51:32.138089 IP [computer].37320 > lga25s78-in-f10.1e100.net.https: UDP, length 35
12:51:32.140151 IP [computer].36041 > lga25s78-in-f10.1e100.net.https: UDP, length 300
12:51:32.149708 IP lga25s78-in-f10.1e100.net.https > [computer].36041: UDP, length 28
12:51:32.152298 IP [computer].36041 > lga25s78-in-f10.1e100.net.https: UDP, length 33
12:51:32.163572 IP [computer].37320 > lga25s78-in-f10.1e100.net.https: UDP, length 32
12:51:32.169641 IP lga25s78-in-f10.1e100.net.https > [computer].36041: UDP, length 92
12:51:32.170062 IP [computer].36041 > lga25s78-in-f10.1e100.net.https: UDP, length 36
12:51:32.173980 IP lga25s78-in-f10.1e100.net.https > [computer].37320: UDP, length 23
12:51:32.181521 IP lga25s78-in-f10.1e100.net.https > [computer].36041: UDP, length 25
^[^Z
[7]+  Stopped 

Poking around on the net, people have said this looks like the work of the google safe browsing service for Chrome – a service that checks the web-pages one goes to for safety such as via existing reports of nefarious activity. But the data exchanges I am observing via these udp connections are happening even when I am not browsing or doing anything. I can open a static single IP web-page with no scripts or ads, and Brave will exchange information via these udp connections in little bursts with pauses of various lengths in between even after just being left to idle for 12 hours or more.

I guess it is possible that this isn’t Brave but a program pretending to be Brave, but if so it is very convincing.

EDIT 2: I checked “Brave settings” ->“Privacy and Security” the option “Use Google services for push messaging” is indeed off, so that can’t be what is happening. End of EDIT 2:

Steps to Reproduce (add as many as necessary): 1. 2. 3.
I have opened and closed brave many times. I have cleared out all the history and started from scratch. I even checked again on a freshly installed linux mint system where I installed brave and opened a new brave window.

Reproduces how often:
Its always. I can’t make it stop. I can’t even block these with firewall without Brave rerouting and establishing new ones. I have even tried multiple range blocks.

Operating System and Brave Version(See the About Brave page in the main menu):

Brave: Version 1.61.116 Chromium: 120.0.6099.217 (Official Build) (64-bit)

Distro:
No LSB modules are available.
Distributor ID: Linuxmint
Description: Linux Mint 21.2
Release: 21.2
Codename: victoria

Hardware:
Type: Laptop System: Dell product: XPS 15 7590

Not all of those are google, many are cloudfront. Could be extension related?

Lookup those IP in;

1 Like

Thanks, I’ll take a look at your recommendation there.

I don’t think its extension related, because I got it with a clean install of Brave on a clean install of Linux Mint, which was surprising.

Not all of those are google, many are cloudfront.

Yah, and sometimes I get an Amazon Web Services one as they change around, which usually happens only when I block them with the firewall.

Thanks again for the help.

Where/how did you install Brave? Please check if disabling Safe Browsing impacts the observed traffic in any way. Brave itself is designed such that no calls to Google take place out of the box, so any such call is likely to be a false-positive (extension, tab, etc.) or (worst case scenario) a regression (in which case knowing the version of Brave would be quite helpful as well).

One other thing you could do is check the internal task manager of the browser for the process responsible for these calls. Brave’s internal task manager can be accessed via the menu under More Tools. Within you’ll be able to view the sub-processes of the browser, their PIDs, and determine which (if any) are responsible for making the calls.

1 Like

Where/how did you install Brave?

I Installed brave using apt-get following the “Mint” instructions on the top of this page here: https://brave.com/linux/

a regression (in which case knowing the version of Brave would be quite helpful as well).

Its at the bottom of my original post: Version 1.61.116 Chromium: 120.0.6099.217 (Official Build) (64-bit)

Brave itself is designed such that no calls to Google take place out of the box, so any such call is likely to be a false-positive (extension, tab, etc.)

It is entirely possible it is not Brave, but then it is a program trying to emulate Brave as I have ruled out the other suggestions in the above excerpt. For instance, RE: extensions as I said in my original post I tested by making a clean install of Mint followed by a clean install of Brave – it still opens UDP ports when idling and exchanges data with either: Google (by far the most common), cloud flair, or AWS (least common.) RE: tab, as per my original post, I can open a single window to a basic website of known single IP and it will still open these UDP streaming ports (or whatever is pretending to be Brave will.)

One other thing you could do is check the internal task manager of the browser for the process responsible for these calls. Brave’s internal task manager can be accessed via the menu under More Tools . Within you’ll be able to view the sub-processes of the browser, their PIDs, and determine which (if any) are responsible for making the calls.

Thanks this looks very useful. If the internal task manager can account for all of Brave’s actual PID’s then I can much more easily figure out if it is actually some shady program trying to disguise itself as Brave. I’ll need to get time to try and fiddle around with these things.

I really appreciate the thoughts and help, I had no idea about that internal task manager for Brave, and that honestly looks like the most powerful tool for getting a handle on what I am experiencing.

Looking forward to hearing more about your experience with the internal task manager. I’ll do a bit of digging on my end in the meantime to see if there are any other similar reports.

Thanks so much for all your help, I am probably going to be awhile before I get to try out all your suggestions as I am super bogged down with backlogged work at the moment.

I’ll do a bit of digging on my end in the meantime to see if there are any other similar reports.

Thanks, people seem to be seeing similar things based on this forum alone. Again though, as you have suggested it may not be Brave, their could be some clever root kit or other malware that just does a good job of pretending to be Brave that is circulating.

For related posts on this very forum see:

1. Strange Network Traffic out to UDP port 137 from Brave ← Again appears to be phoning Google with UDP (Windows)

2. Why does Brave Constantly Phones Back to Google on UDP 443 ← Especially interesting as it is phoning Google with UDP and the exact same ports as in my instance. (Windows)

3. Unkown UDP Connection Via Brave Helper <-Again appears to be phoning Google with UDP (OS X)

I think there were other examples even off this forum, but I am having trouble finding them at the moment, especially as I am in a hurry to get back to the giant pile of work that I am supper behind on.

Let me be the first to admit I am super clueless when it comes to networking, but my extremely limited and possibly incorrect understanding is that Brave should only be opening TCP connection as that is what webpages run on, so opening UDP connections was automatically a bit suspect, and so many of them all to google (or cloud flare, or AWS) just made it more so.

Of course, this may just be something that likes to pretend to be Brave, and that may just be someone paying for hosting at Google to route their malware through.

I just fired up a fresh profile in Brave and monitored the network activity via Fiddler; the only pings to Google I saw were for an extension auto-installed by Google Drive. Note, for my test I did not advance past the Welcome screen which is displayed on the browser’s first launch.

1 Like

Interesting, then maybe it is some sort of maleware pretending to be Brave. I’ll have to dig further. Thanks for your test and some good start points by which means I can dig further.

I’m puzzled why I got a notification about this topic having had no involvement and not even having logged in since it was posted…

Anyway, no disrespect but I have muted it.

I see netstat output in your post… I don’t know if Mint has the iproute2 tools that replaced net-tools. If you do have it, try using ss instead. ss -upT might give you more information, as it shows the process and thread responsible for the UDP socket.

Yes netstat can (and did) display process and thread responsible (I think its the -i and -p tags I but I will need to check that.) Either way my original code block with the netstat output actually has the process and the thread responsible for each item, but the code block is malfunctioning and cutting them off, so only I can see this and only when I edit that post!!! Side note, anyone know what I can do to make that initial code block stop malfunctioning? Right below I will paste the same code block, but I will truncate the left hand portion of it so you can see the right side of it with process and threads.

<Truncate>      Foreign Address         State       User       Inode      PID/Program name    

... [skipping lots of other non-brave connections here]

<Truncate>      142.250.81.234:443      ESTABLISHED 1000       3995190    2012/brave --type=u 
<Truncate>      104.18.39.38:443        ESTABLISHED 1000       3988908    2012/brave --type=u 
<Truncate>      13.249.190.60:443       ESTABLISHED 1000       3995183    2012/brave --type=u 
<Truncate>      65.8.19.110:443         ESTABLISHED 1000       3995187    2012/brave --type=u 
<Truncate>     13.249.190.60:443       ESTABLISHED 1000       3995182    2012/brave --type=u 
<Truncate>      13.249.190.60:443       ESTABLISHED 1000       3995181    2012/brave --type=u 
<Truncate>      52.111.239.33:443       ESTABLISHED 1000       3925971    2012/brave --type=u 
<Truncate>      65.8.19.110:443         ESTABLISHED 1000       3995188    2012/brave --type=u 
<Truncate>      65.8.19.110:443         ESTABLISHED 1000       3995184    2012/brave --type=u 
<Truncate>      184.105.99.43:443       ESTABLISHED 1000       3997591    2012/brave --type=u 
<Truncate>                  :::*                    LISTEN      0          2892575    147603/cupsd        
<Truncate>      65.8.19.110:443         ESTABLISHED 1000       3995191    2012/brave --type=u 
<Truncate>      142.251.35.170:443      ESTABLISHED 1000       3997956    2012/brave --type=u 
<Truncate>      142.250.72.106:443      ESTABLISHED 1000       3997988    2012/brave --type=u 
<Truncate>      0.0.0.0:*                           101        2568984    127581/systemd-reso 
<Truncate>      10.225.0.3:67           ESTABLISHED 0          3931543    923/NetworkManager  
<Truncate>      0.0.0.0:*                           0          2895607    147604/cups-browsed 
<Truncate>      142.250.65.163:443      ESTABLISHED 1000       3981970    2012/brave --type=u 
<Truncate>      42.250.65.163:443      ESTABLISHED 1000       3981971    2012/brave --type=u 
<Truncate>      142.251.35.170:443      ESTABLISHED 1000       3993356    2012/brave --type=u 
<Truncate>      142.250.80.67:443       ESTABLISHED 1000       4001195    2012/brave --type=u 
<Truncate>      13.249.190.60:443       ESTABLISHED 1000       4001196    2012/brave --type=u 
<Truncate>      142.251.40.174:443      ESTABLISHED 1000       3941306    2012/brave --type=u 
<Truncate>      0.0.0.0:*                           1000       53164      2012/brave --type=u 
<Truncate>      0.0.0.0:*                           1000       60523      2012/brave --type=u 
<Truncate>      142.250.81.234:443      ESTABLISHED 1000       3995177    2012/brave --type=u

There are a few other things in there, but the weird udp ones I am referring to are assigned to Brave. Well crafted root-kits and malware can disguise themselves as other programs, which might be what is happening. But assuming its not high-end malware than all standard programs are showing Brave as the source.

I don’t know if Mint has the iproute2 tools that replaced net-tools. If you do have it, try using ss instead. ss -upT

Mint does have them and I have been using them too, but they are either not as useful for this, or I just can’t seem to use them correctly. If I use ss every few minutes for many hours it will slowly confirm what I can get with netstat once. So unless I am savvy enough to write a script to run ss continuously and then cat all the unique results into a single output (I am not that savvy, I am a n00b) then my choice is to either run netstat once, or spend hours running ss every few minutes and manually combining all the unique results to get the same output. As a result I am just sticking with netstat as in my hands it is doing everything more easily and better. Using the tcpkill function it looks like these ports idle in some weird way that ss doesn’t really detect them (how that is possible I don’t know) and then have sudden seemingly random bursts of activity every couple of hours.) netstat just picks these idlers up, but ss – at least with my ability to use it – has to be executed during these bursts of activity or the idlers are invisible to it. Importantly these idlers don’t usally all go at the same time, they alternate so one needs to run ss successively in each of their individual bursts of activity. As some of the idlers seem to randomly close and new idlers open up over time, the only way in my hands to cleanly get the big picture without a ridiculous amount of effort is to use netstat and not ss.

On rare occasion all or most of these mysterious udp ports start streaming data for a while (30 minutes or more) together – easy to tell because you can hear my laptop’s fans rev up and try to cool off all the sudden activity going on, which powertop suggests is mostly Brave and various computer components associated with the web like the “network device” and/or the “radio device” (i.e. wifi.) This occurs seemingly at random, and has no correlation that I can tell with what I am or am not doing on brave. I certainly can’t time or predict it, but I can, going forward, experiment with comparing ss and netstat during it – something I haven’t bothered to do yet.

Since this is a new day and the thread/process numbers have changed, I am going to print out the ports again as per the original post as all the details have changed (IPs, PIDs, etc…) but the pattern is the same.

Here is the untruncated connections print out (I’ll truncate below so the process names are visible.)

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      0          9010951    261014/cupsd        
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      101        2568985    127581/systemd-reso 
tcp        0      0 10.225.10.247:50388     184.105.99.43:443       ESTABLISHED 1000       9832131    263721/brave --type 
tcp        0      0 10.225.10.247:43706     142.250.81.234:443      TIME_WAIT   0          0          -                   
tcp        0      0 10.225.10.247:46878     142.251.32.101:443      ESTABLISHED 1000       9820333    263721/brave --type 
tcp        0      0 10.225.10.247:54242     142.250.65.174:443      ESTABLISHED 1000       9837935    263721/brave --type 
tcp        0      0 10.225.10.247:35486     142.250.176.202:443     TIME_WAIT   0          0          -                   
tcp        0      0 10.225.10.247:57950     35.168.98.3:443         ESTABLISHED 1000       9787883    263721/brave --type 
tcp        0      0 10.225.10.247:34514     142.250.31.101:443      ESTABLISHED 1000       9832991    263721/brave --type 
tcp        0      0 10.225.10.247:50292     142.250.64.69:443       ESTABLISHED 1000       9830207    263721/brave --type 
tcp        0      0 10.225.10.247:50902     142.250.72.106:443      TIME_WAIT   0          0          -                   
tcp        0      0 10.225.10.247:44318     142.250.65.170:443      TIME_WAIT   0          0          -                   
tcp        0      0 10.225.10.247:59922     142.251.32.110:443      TIME_WAIT   0          0          -                   
tcp        0      0 10.225.10.247:33906     142.251.40.234:443      TIME_WAIT   0          0          -                   
tcp        0      0 10.225.10.247:49076     142.250.65.206:443      TIME_WAIT   0          0          -                   
tcp        0      0 10.225.10.247:49344     142.251.32.110:443      TIME_WAIT   0          0          -                   
tcp        0      0 10.225.10.247:49708     142.251.167.84:443      ESTABLISHED 1000       9836677    263721/brave --type 
tcp        0      0 10.225.10.247:59908     142.251.40.138:443      TIME_WAIT   0          0          -                   
tcp6       0      0 ::1:631                 :::*                    LISTEN      0          9010950    261014/cupsd        
udp        0      0 10.225.10.247:48614     142.250.65.161:443      ESTABLISHED 1000       9837938    263721/brave --type 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           101        2568984    127581/systemd-reso 
udp        0      0 10.225.10.247:68        10.225.0.2:67           ESTABLISHED 0          9753893    923/NetworkManager  
udp        0      0 10.225.10.247:33080     142.250.65.174:443      ESTABLISHED 1000       9837934    263721/brave --type 
udp        0      0 10.225.10.247:49767     142.250.176.202:443     ESTABLISHED 1000       9841846    263721/brave --type 
udp        0      0 0.0.0.0:631             0.0.0.0:*                           0          9008925    261015/cups-browsed 
udp        0      0 10.225.10.247:49866     142.250.72.106:443      ESTABLISHED 1000       9830221    263721/brave --type 
udp        0      0 10.225.10.247:58156     142.251.40.138:443      ESTABLISHED 1000       9823000    263721/brave --type 
udp        0      0 10.225.10.247:58395     142.250.176.202:443     ESTABLISHED 1000       9837955    263721/brave --type 
udp        0      0 10.225.10.247:34508     142.250.72.106:443      ESTABLISHED 1000       9793051    263721/brave --type 
udp        0      0 10.225.10.247:52256     142.251.41.10:443       ESTABLISHED 1000       9823167    263721/brave --type 
udp        0      0 10.225.10.247:60662     142.251.40.206:443      ESTABLISHED 1000       9834220    263721/brave --type 
udp        0      0 10.225.10.247:36434     142.250.65.163:443      ESTABLISHED 1000       9832035    263721/brave --type 
udp        0      0 10.225.10.247:37082     142.250.81.227:443      ESTABLISHED 1000       9831423    263721/brave --type 
udp        0      0 10.225.10.247:37468     142.251.35.163:443      ESTABLISHED 1000       9837941    263721/brave --type 
udp        0      0 10.225.10.247:47292     142.250.80.33:443       ESTABLISHED 1000       9837909    263721/brave --type 
udp        0      0 10.225.10.247:39110     142.250.81.227:443      ESTABLISHED 1000       9841849    263721/brave --type 
raw6       0      0 :::58                   :::*                    7           0          9752305    923/NetworkManager  

.
.
.
.
.

.
.

Here is the truncated version of the above so process names and PIDs can be seen (why don’t these code blocks allows scrolling? Or if they do, why can’t Brave see them? Scrolling in wide code blocks works on the editor for these posts in Brave, but not the final post, that is weird. It also tries to run way out of its code block and overlaps the text below so I had to put a few lines above this paragraph here so readers could actually read it.)

Active Internet connections (servers and established)
<trunc>   Foreign Address         State       User       Inode      PID/Program name    
<trunc>   0.0.0.0:*               LISTEN      0          9010951    261014/cupsd        
<trunc>   0.0.0.0:*               LISTEN      101        2568985    127581/systemd-reso 
<trunc>   184.105.99.43:443       ESTABLISHED 1000       9832131    263721/brave --type 
<trunc>   142.250.81.234:443      TIME_WAIT   0          0          -                   
<trunc>   142.251.32.101:443      ESTABLISHED 1000       9820333    263721/brave --type 
<trunc>   142.250.65.174:443      ESTABLISHED 1000       9837935    263721/brave --type 
<trunc>   142.250.176.202:443     TIME_WAIT   0          0          -                   
<trunc>   35.168.98.3:443         ESTABLISHED 1000       9787883    263721/brave --type 
<trunc>   142.250.31.101:443      ESTABLISHED 1000       9832991    263721/brave --type 
<trunc>   142.250.64.69:443       ESTABLISHED 1000       9830207    263721/brave --type 
<trunc>   142.250.72.106:443      TIME_WAIT   0          0          -                   
<trunc>   142.250.65.170:443      TIME_WAIT   0          0          -                   
<trunc>   142.251.32.110:443      TIME_WAIT   0          0          -                   
<trunc>   142.251.40.234:443      TIME_WAIT   0          0          -                   
<trunc>   142.250.65.206:443      TIME_WAIT   0          0          -                   
<trunc>   142.251.32.110:443      TIME_WAIT   0          0          -                   
<trunc>   142.251.167.84:443      ESTABLISHED 1000       9836677    263721/brave --type 
<trunc>   142.251.40.138:443      TIME_WAIT   0          0          -                   
<trunc>   :::*                    LISTEN      0          9010950    261014/cupsd        
<trunc>   142.250.65.161:443      ESTABLISHED 1000       9837938    263721/brave --type 
<trunc>   0.0.0.0:*                           101        2568984    127581/systemd-reso 
<trunc>   10.225.0.2:67           ESTABLISHED 0          9753893    923/NetworkManager  
<trunc>   142.250.65.174:443      ESTABLISHED 1000       9837934    263721/brave --type 
<trunc>   142.250.176.202:443     ESTABLISHED 1000       9841846    263721/brave --type 
<trunc>   0.0.0.0:*                           0          9008925    261015/cups-browsed 
<trunc>   142.250.72.106:443      ESTABLISHED 1000       9830221    263721/brave --type 
<trunc>   142.251.40.138:443      ESTABLISHED 1000       9823000    263721/brave --type 
<trunc>   142.250.176.202:443     ESTABLISHED 1000       9837955    263721/brave --type 
<trunc>   142.250.72.106:443      ESTABLISHED 1000       9793051    263721/brave --type 
<trunc>   142.251.41.10:443       ESTABLISHED 1000       9823167    263721/brave --type 
<trunc>   142.251.40.206:443      ESTABLISHED 1000       9834220    263721/brave --type 
<trunc>   142.250.65.163:443      ESTABLISHED 1000       9832035    263721/brave --type 
<trunc>   142.250.81.227:443      ESTABLISHED 1000       9831423    263721/brave --type 
<trunc>   142.251.35.163:443      ESTABLISHED 1000       9837941    263721/brave --type 
<trunc>   142.250.80.33:443       ESTABLISHED 1000       9837909    263721/brave --type 
<trunc>   142.250.81.227:443      ESTABLISHED 1000       9841849    263721/brave --type 
<trunc>   :::*                    7           0          9752305    923/NetworkManager  

.
.
.
.
.

.
.

So this weird super-streamer-multi-UDP-port-opening process that likes to phone google (or reroute through cloudflare or AWS if I block enough of the google IPs with the firewall) appears to be PID 263721 today based on the IP connection printout. Here it is in my computer’s system task manager under processes in the picture below:

It sure has a long effective name do to all those tags/commands entered next to it. Task manager also shows that this process is constantly reading and writing to disk. This is true even if I disconnect the network – I can sit here with no network access and watch it slowly but surely make little background reads and writes constantly to the HD with no sign it is going to slow down or finish reading and writing whatever it is doing.

Now opening the Brave Task manager (thanks for showing me that, I had no idea that was a thing and it is super useful) shows that this thread exists as “Utility: Network Service” See picture below.

Killing this process via the systems’ task manager doesn’t cause any immediate effect on Brave whatsoever. However, if one clicks around in, gmail following the killing of that process, then after a few seconds and a few clicks the gmail tab demands the page be reloaded/refreshed. And I mean it really demands it, if I just minimize the window it unminimizes itself, if I click “cancel” in the refresh suggestion it thinks for less than a second and then reiterates its demand. I can’t even click to a new tab in the same window, they are all locked until I give into its demand and click “refresh.” Once I give into its demand and click refresh the super-UDP streamer processes is rebooted and I appear logged out of that google account. This is slightly odd, as no session, cookies, or cache data has been lost so the session should still be good. Logging back into that Google account and going into security even shows that the other session that I was dropped from by killing the process is still opened even though Brave won’t reconnect to it. I have to use Google Account security settings to close that “dangling” session out as Brave doesn’t seem to see it even though all the website data from that session should still be there in it and theoretically still valid. I have repeated all of this a few times now with the same results (the PIDs and IPs can change though, but the behavior is all the same.)

So I guess whatever this is, it is a google thing, but it sure is shady. It is well patched into Brave. It opens an army of UDP streaming ports which it switches between and uses for random bursts of activity both sending and receiving, even if the user is idling and has been for hours (i.e. there is nothing the user has done to cause anything on brave to need to send or receive data.) It constantly writes and reads data to the machine even when not connected to the network, and whatever it does it seems to supersede google related data cached on Brave. Moreover, if I log out of all my google accounts and close all associated tabs … its still there, it still has UDP streaming ports opened and it is still writing and reading to the HD constantly. Blocking the google associated IPs it likes to connect to cause it to reroute through cloudflare and Amazon Web Services. So it does appear it is google associated … but it doesn’t care if you are doing anything with google at all it still runs and does whatever it does constantly in the background (including streaming data via UDP ports, and constantly writing and reading to the HD even when not online) and is happy to phone home through non-google alternates if its direct path is blocked. I’ll admit I am not super good with computers especially networking, but this thing seems very sketchy to me.

For what it is worth, here are all my extensions in Brave: