Why am I seeing connections to my ISP with lots of data?


I’m seeing massive amounts of data coming from my ISP of all places, see the image above. I’m not visiting their websites nor are they hosting any CDNs or whatever to my knowledge. According to the meta tab of the Glasswire IP information thing, it’s actually google?

Is my ISP spying on me or something? Or is this just a way content is delivered?

@Roy-Blaker

If you click those hosts it should show the apps responsible. What does it show for the apps connecting there?

Firefox and Discord, strangely. I know for a fact that neither have been going to their websites and I haven’t heard anything about them hosting servers for the websites I use.

EDIT:
For context my first screenshot is from HTTPS traffic, but when I look in HTTP traffic, apparently this same fidnet(dot)com IP has 40GB or so from, of all things, Final Fantasy XIV Online. Now that I’m almost certain they don’t host servers for.

@Roy-Blaker

Do they offer some type of VPN browser or VPN service of some type? That’s strange. Maybe it’s the way their modem works? How does it connect to your PC? Do they install any of their own software on your PC or how do you connect to their network exactly?

I’ve used a VPN before, but it’s not with them. The VPN was ProtonVPN, and it wasn’t on when I was downloading FFXIV.

The ISP themselves do not offer a VPN to my knowledge and even if they did without me knowing, I still have normal traffic appearing from the proper IP addresses, such as when I download Skyrim mods from NexusMods and their CDNs or watch videos on Youtube.

@Roy-Blaker

If you check your browser history do you see any Speed Tests or something like that? Speedtest websites sometimes route you to your ISP download. Maybe you did a speed test with Firefox?

I haven’t done so, and I certainly haven’t done enough to download like 100GB of test files or the like.

I should have thought about this earlier, but what traffic types are you showing? @Roy-Blaker

traffic

If you switch to External traffic only does it still appear?

Yep. Still the same 26.4 GB. Incoming only shows similar results.

Really weird! I was sure you were going to say it was a Speed Test…

I will ask our team and see if they have ideas. Maybe someone else in the forum may have an idea also.

Thanks. I’m super confused man. I’ve searched around for something like this and haven’t found anything at all.

1 Like

Wild theory here. Could my ISP be routing my connection to log or keep track of my net usage? They have a clearly written section written terms on their website that they’re never going to spy on me or track anything I do, and I also have emails from representatives saying they won’t do it, but I mean, all things considered, it seems like the most logical conclusion here.

1 Like

Woah, hold the wild theories. Keep the tin-foil hat in the drawer. There is no problem. :grinning: Your ISP is almost certainly holding to their contract with you and not tracking you.

googleusercontent.com is a CDN (Content Delivery Network) so it is caching their stuff instead of your request having to be fulfilled from the originating website. You just had to search for the site to find this out,
e.g.at https://helpx.adobe.com/nz/analytics/kb/googleusercontentcom-instances.html

How could you tell what your ISP is doing? They have a privileged role on the Internet because they know where all your transmissions are coming from: your network. It doesn’t matter whether they can read them or not. They can see what you request and where from so there are opportunities to cache data. That’s why they tell what they won’t do. Imagine how much business they could lose if they were tracking users. Leave it to web-monopolists like Facebook, Google, etc. to do that.

FYI, a lot of ISPs still operate transparent (i.e. you can’t tell) cache because it is likely to make their user connections more responsive and save the ISP money paying for interchange bandwidth to and from other networks. Of course it gets harder to do the more secure protocols are used like SSL/TLS and IPSec.

Every website you visit. Tracks a lot by download a tracking file on your computer. so use internet but securely.

Hi Roy-Blaker,

Believe it or not, your issue sounds like the exact problem I was having which led me to discover Glasswire back in November of 2017.

The problem that I was having is that I was on a metered mobile data service from my ISP (from memory it was 30GB which I had to use within six months) and as I was careful in my data usage (I had no need for videos, gaming or anything data hungry), I knew that amount of data back then would have lasted me at least three months.

Anyway, every now and again (the times were random) something would just eat about 10GB of my data allowance and I could never account for what had happened as I was always so careful with my bandwidth, disconnecting when not using it and so on.

In Australia mobile data was (and is still) quite expensive so that 30GB back then cost me about AUD$125 (about USD$100 approx) and because I was using the mobile connection mainly for financial news and data, these 10GB bites out of my plans was costing me about AUD$35 each time it happened and I went from annoyed to furious as it kept recurring.

I raised a support request with my ISP at the time (Vodafone) who could not determine what was consuming the bandwidth, so I pushed the envelope with them and asked them to do a full forensic investigation of all usage on my connection to find out if the problem was leakage on their end as I knew it was nothing I was actively doing. I could even isolate the exact times when these 10GB chunks were being used (the amounts were in fact random, but almost always around 10GB or more; 9.8GB one day, 11.2GB the next time, 10.56GB and so on, but basically it was always around the 10GB amount).

Well, to their credit Vodafone did indeed perform a forensic investigation into my data usage and although they were limited in what they could reveal to me by privacy laws (Australia has quite strict privacy laws), they did tell me in no uncertain terms that there was no problem with the ISP service and that it was a program installed on my PC that was using these 10GB chunks (but they could not reveal the name of the program).

This forced the issue back on me and I started looking around for a forensic grade packet sniffer to try to help me identify all traffic into and out of my laptop, I knew of no other way to isolate the program, app or process that was using the data as the amount was way above my normal usage.

That’s when thankfully I found Glasswire and I watched the data usage like a hawk to find out what was eating the 10GB intermittently and I eventually found it was - and I am 100% certain of this - SurfEasyVPN.

The SurfEasyVPN program uses a file called “openvpn” or “openvpn64” and it was one of these that was eating the 10GB intermittently (I think I was on a 64bit OS at the time, so I assume it was ‘openvpn64’). I checked my pc thoroughly and the only files which had the openvpn belonged to SurfEasy, so I was sure I had isolated the problem.

I contacted SurfEasy support and they basically denied that what I was describing could actually happen, but that just made it easy for me to uninstall their program and discontinue my subscription with them.

I kept looking around for another VPN that did not use some version of ‘openvpn’ in their program as I knew that it was likely that the exact same thing would happen again with another VPN using that same file. I couldn’t really find anything, it seems many of the better known commercially available VPNs use openvpn, so I just resolved to just to use Tor in the meantime.

And now it’s time for the happy ending, as soon as I stopped using SurfEasyVPN / openvpn the problem stopped and I never had a chunk of 10GB get eaten again.

I rationalized it to myself that in some way the openvpn program would share traffic around their various users to randomize the web traffic and that these 10GB bites were randomized traffic going through my machine and utilising my bandwidth.

Anyway, that’s what happened to me and that’s how it played out. Big thanks to Glasswire who ended the grief by allowing me to analyze my traffic and pinpoint that it was openvpn64 program that was using the bandwidth.

Very best of luck with your investigations, I hope you isolate the problem soon.

:slight_smile:

1 Like