This is very strange with an unfortunately long and tedious report. I've really never seen anything like this over my time with Hughes beginning in 2011. I'm trying to understand what happened with an absurd amount of data loss that began sometime Friday Sept 1. This happened exclusively on my ethernet connected main computer. I just found it this morning. I only discovered it because my service plan rolls over tomorrow night. I wanted to set up an hourly testmy routine to run until then to see how poorly my Gen 5 service is doing this month. It appears whatever this thing is, ran until it consumed all of my monthly service plan allowance and then became disinterested.
For Friday, Glasswire says Google Chrome used 4.0 GB download out of a total 4.5 GB WAN. These 4 GB show up as going to IP 2a03:2880:f082:112:face:b00c:0:1823
For Saturday, Google Chrome used 5.4 GB of the 6.1 GB total WAN. 4.9 GB shows going to the same IP 2a03:2880:f082:112:face:b00c:0:1823
Chrome typically uses 15-50 MB per day. There isn't a lot I use it for. I did use it for hours Saturday afternoon to work on a complicated google docs investment spreadsheet using source data read in Vivaldi but the drain started the day before so it can't be related. Typically, my main and most regular usage for Chrome is leaving my Hughesnet SCC page open forever and sifting junk/reporting phishing mail at the live.com web interface for my outlook email accounts used by Thunderbird. Otherwise it's only used for managing my Google Merchant accounts and other Google services and the occasional search using Startpage.
Looking up the plain English iteration of the offending IP 2a03:2880:f082:112:face:b00c:0:1823
reveals it's edge-video6-shv-02-ord5.fbcdn.net.
I can't find any of this in any of the Glasswire history prior to Friday. Going to the plain English iteration of the IP reveals it's a stinkin facebook page that says:
We're working on it and we'll get it fixed as soon as we can.
Using that "Go Back" link takes me to a facebook log in page.
Funny since I do not use facebook. The only time I ever open a facebook page is within an isolated Firefox Facebook Container tab. I do have a couple of old fake facebook accounts. I can't remember the last time I logged in with one and would never use something like Chrome for that.
A very odd thing is this facebook page is only accessible when connected through Hughesnet,
When connected by Verizon I can only get this in Firefox "Hmm. We’re having trouble finding that site. We can’t connect to the server at edge-video6-shv-02-ord5.fbcdn.net.
The exact same thing happens when accessing this address from one of my wifi connected windows computers. I can see it when connected by Hughesnet but not when connected by Verizon. Even worse, the exact same thing happens when using my android phone. All this makes it appear it's all something to do with the Hughes network.
The Glasswire log for 8 am shows only 107.9 MB went to this same IP 2a03:2880:f082:112:face:b00c:0:1823 today but that hasn't increased since I discovered it when I woke the computer up at 5:30 this morning to do some work.
I left everything going as is until 8 am when I disabled the ethernet supplying the Hughesnet and reconnected by alternate ethernet using Verizon. The drain to 2a03:2880:f082:112:face:b00c:0:1823 for today hasn't increased so maybe it's over.
The computer is clean. A Bitdefender scan of the C: drive shows absolutely nothing. Chrome did get an update Thursday afternoon but I don't see how that could have set something off to start running Friday.
Any thoughts? Thanks!
I know exactly what it is, because I've seen it on my version of Edge. They have embedded HD videos in the news items that run on the home page and they launch with no way to stop it. I wouldn't leave Edge running for too long or you get what you got.
Mark, thanks for the info and sharing your experience but for one thing, I don't use Edge. I neutered that browser in all of the computers quite some time ago. It doesn't even update.
Regardless, this isn't what happened here. For this to happen, there must be change. Nothing here has changed. There never is and never has been a news feed or google home page running in my Chrome so that possibility is out. The only things running in my Chrome are the same assortment of tabs that have been open in Chrome for years. They restore with every reboot and don't change. None have ever gone berserk. The only one that refreshes automatically is whatever Outlook account is loaded into outlook.live.com at the time. There's no reason for this browser to jump from averaging less than 50 mb a day to an average of more than 4500 per day. And then suddenly stop the drain with no changes in the browser at all
Nothing open in any tab could have changed the data usage of this very limited use browser from maybe a GB a month to 9.4 GB in two 24 hour days before suddenly stopping on it's own after depleting my plan data and 3.9 GB of my token bytes. On this, the third day the data drain dropped to 107.3 MB. I notice that number has now increased to 108 MB for the day. We'll see what Glasswire says tomorrow but it appears to be done.
Still, at this time nothing here can access the problem IP 2a03:2880:f082:112:face:b00c:0:1823 aka edge-video6-shv-02-ord5.fbcdn.net unless it's connected via Hughesnet. Connect through Verizon and the page cannot be loaded. This makes it look like it's something suspiciously particular to the Hughes network.
Edge is just one of the video issues. I assumed it was edge from the domain edge-video6*. When you expanded it, it's definitely a Facebook data server domain (fbcdn.net is Facebook's content data repository). You may not be able to access that domain directly. That said, Facebook does the same thing as Edge. They show and pre-load videos (some are ads) as you scroll them whether you want them or not. My wife used to scroll Facebook a lot on her phone until I pointed out how much data it uses behind the scenes - about the same rate as streaming an HD movie. What also doesn't help are all the high-res images that take a tremendous toll on data usage as well.
As to your remark about not changing what you do: Just remember that these platforms (and browsers) are updating what they do and how they do it constantly, many with complete disregard to those of us trying to conserve data usage - they're more driven by improving performance to the general public. Facebook is also notorious for changing your user-settings about not auto-loading video. In fact they change their platforms so fast that Facebook and it's family of apps (Messinger, Instagram, etc.) update just about twice a week now.
Since you stated you don't actually use Facebook, it may still be possible that Chrome has a Facebook plugin that is activating in the background, or some page you go to uses Facebook's CDN for their ads. This brings up another point: Just about anything that shows any kind of video or animation is going to be a black hole for data anymore, mainly because the videos themselves are becoming more and more hi-res. That includes games that show video ads.
Thanks for the further info but you're not telling me anything I don't already know and nothing you're telling me is the slightest bit applicable to this situation. No Chrome tabs ever show videos or ads. With the exception of the outlook site, they're all strictly business and financial/banking related sites that I may not even log into for lengthy periods of time. There's nothing that refreshes automatically in my google ads or google merchant center tabs. None of the google sheets I keep open refresh automatically. The financial spreadsheet doesn't fetch security price updates until I refresh the page. The Outlook site may want to show some ads but they're blocked by my Adblock Plus. M$ assures me that works. Every site is working properly throughout this episode, just as they have for a very long time. There's simply nothing to find in here.
Regardless, It's over now. The drain lasted two days and stopped on its own with no intervention from me. As it turns out, it was done when I found it. No tabs in Chrome have been opened or closed before, during or after. Here's a screenshot of Glasswire the day before it started. Please note the Chrome section showing typical low usage. Another screenshot from today. The offending IP is nowhere to be found in the Glasswire data for either day. By the way, I have Glasswire installed and always open on all four computers so I have records of what goes on when I want to know. I look at three of them every day watching the size of the Bitdefender manual updates done every morning over wifi. These sometimes log highly abnormal sizes compared to the ethernet updates done on my main computer. My bad for not checking anything on my main connected computer while this was going on. Now I want to know why.
Since you're a network guy, please tell me this. Why is it the offending page still can only be seen when using any of my Hughes connected devices while it's still unavailable when connected to the internet through Verizon? This includes four windows computers and an android 13 phone.
I'm on HughesNet also (obviously) and just tried it in Firefox and Chrome. Neither could find it to DNS into an IP address. That tells me there's something particular to your computer (applications, configuration, etc.) and/or local DNS/network, not HughesNet or their DNS in general.
Another clue is that 2a03:2880:f082:112:face:b00c:0:1823 traces back to Meta Platforms Ireland Limited, which is registered under facebook.com as a "Search Engine Spider", which is kind of weird. The actual server seems to be in Chicago, however. Not saying this is what happened, but it's a scary thought if Meta/Facebook just reached in and indexed your entire computer for you.
If it happens again, in addition to looking at Glasswire, I would right click on your taskbar, bring up a task list, and look for any processes using a lot of computer time and network access. If it looks suspicious I'd kill it immediately.
This is telling me the problem is in my modem or somewhere in the Hughes network on the other side of the modem. The phone is connecting to https://edge-video6-shv-02-ord5.fbcdn.net. In the first screenshot it's using Verizon and running through a VPN. It can't be Verizon throwing up a block. The second screenshot is running through the 5g side of the Hughes HT2000W, not my Linksys router. Both running in DuckDuckGo
How can this happen? It's an android phone. It connects to this miserable facebook system page just as simply and easily and identically as my three wifi windows computers and one ethernet computer which aren't even networked together anymore. No cross contamination in the computers. The only thing in common is Hughesnet.
Please note I adjusted the URL in the screenshots to show the address in it's entirety.
Mark, here's another indication there's nothing particular to any of my computers or network on my side of the Hughes modem. This is an antique phone I still use for certain things like satellite finding. A Galaxy Ace with android 4.something. It hasn't been connected to the internet in a very long time. I did connect it to the Hughesnet this morning and it also went right to this same facebook page. I didn't bother with trying to do a screenshot so I just took a picture of it.
Again, I'm on the same network as you and I'm not getting what you're getting.
You may have a corrupted DNS entry. Try rebooting everything to clear the DNS.