Firefox attempting to connect to outside IP even with auto updates turned off
I have an isolated network that I use Firefox in internally. In the past two days I've noticed a significant uptick in denied outbound traffic at my firewall and have traced this back to Firefox running on one of my servers. I only see this traffic when Firefox is open, no other browsers show the same behavior and there is no traffic when Firefox is shutdown. There are no extensions/addons installed.
I'd really like to pinpoint what these IPs are and why Firefox is trying to reach them. All resolve to Amazon blocks. IPs are:
13-225-146-21 13-225-146-108 13-225-146-121
Additional System Details
- User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
hi, in the network section of the browser console you'll see all urls that firefox is connecting to: https://developer.mozilla.org/en-US/docs/Tools/Browser_Console this will provide more information as to what functionality might be causing it than mere ip addresses that are part of aws...
See also the about:networking page and this support article.
philipp - thank you for this...didn't know the browser console existed. Using it I see that the browser is trying to connect to https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/records?collection=tippytop&bucket=main
Do you know where this is triggered from?
cor-el : Thank you for the article link but I had already followed the instructions there, hence my concern when I started seeing connections again. I will go through it once more to make sure I didn't miss something.
Just saw this attempt as well:
i think the first request (https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/records?collection=tippytop&bucket=main) would download a collection of thumbnails for popular domains to be displayed in the top sites section of the new tab page.
the second request will download lists for domains to blocklist which are used by the various components of firefox tracking protection: https://wiki.mozilla.org/Security/Tracking_protection
Thank you Philipp! Gives me something to start looking at.
See also this builtin file: