The Mysterious 1e100.net

If you are the type of tech junkie who likes to dig into your Internet access logs to look at your incoming and outgoing Internet connections, you may have noticed that the domain “1e100.net” pops up once in a while, seemingly without rhyme or reason. In some instances you may even have a persistent connection to 1e100.net, even as soon as you start your computer.

What on Earth is 1e100.net? Well, if you are enough of a math geek, you know that the “e” symbol stands for exponentiation, and “1e100” means 1×10 to the 100th power. That’s a big number…in fact, it’s a number so large that it’s called a “googol” – a one followed by 100 zeroes. Hmmm, googol, googol…what’s familiar about that word? Ah yes – it sounds just like Google. And that’s because Google is named after googol, and 1e100.net is one of Google’s domains. A WHOIS lookup for that domain reveals it’s owned by them.

Because many power users aren’t aware of this connection, their first reaction upon seeing 1e100.net pop up in in a network management program, such as a software-based firewall, is to block it because they don’t know what it is. It further freaks people out if it shows up as a persistent connection that they can’t get rid of. However, it is a perfectly harmless connection and there’s no need for panic. The 1e100.net domain will never show up by itself. It will always be a subdomain such as server-name.1e100.net.

Instances where you will see the 1e100.net connection

(By “see” I mean viewing from a network utility that can closely monitor all network requests.)

Any web page that has embedded YouTube video

For YouTube itself (a Google property) or any other web site that has a YouTube video embedded in it, 1e100.net will show up even if the video isn’t loaded. When the Flash player first launches it makes a request to YouTube for the video thumbnail image and therefore sends a request to 1e100.net for that data.

Firefox “safe browsing”

This feature by default is enabled and uses a Google server to check web sites you load to see if they’re in the “bad” list.

This is located from Tools / Options / Security:

image

The two checkboxes “Block reported attack sites” and “Block reported web forgeries” enable Firefox to check every single web site you load against the “bad” list Google has.

Uncheck these two boxes if you don’t want where you surf to be checked against the Google list.

If you want to see the actual configuration data for this, load the address about:config in Firefox, then search for safebrowsing, like this:

image

You don’t have to necessarily do anything here, but if you wanted to know “How much Google is in my Firefox?”, there’s your answer.

Google Earth / Google Updater

Both Earth and Updater (which Earth installs by default) will make connections to 1e100.net to check for updates.

You can instruct Updater not to do that if so desired.

Other places?

As far as I’m aware, the three above instances are where you will see 1e100.net appear. Now that you’re aware what it is and its purpose, you now know it’s not spyware or malware. It’s Google. Using a weird domain because.. um.. well.. it’s a long story and we’ll leave it at that. :)

25 thoughts on “The Mysterious 1e100.net”

Avatar aurorum says:
dont think youre in a position to control your privacy without external firewalls and a whole lot of monitoring and paranoia. as UEFI gets more and more developed and more overlooked as just a bios replacement more and more people will forgot or not know that it is a middleman os and doeant srop after it boots your os. it has full admin access to hardware, data on hardware and can make connections to the internet to servers like these to report or upload malicious or illicit content that it has detected. also, ita already hacked by a russian group named something bear and that is why mobo native wifi is cancer. also the open source altenatives exist for uefi but i have not tried them yet. afraid of bricking my dual bios mobo lol. so really, my point is your computr siftwarunning in layers below your os can do things without you knowing. without your os software firewall knowing. thus is the age the non paranoid or the apathetic have left us.
Avatar helpful_zombie says:
since when did fancy bear hack the entirety of uefi?
Avatar Bali Bebas! says:
Great little post here. If you’re on an Android device you may detect and block this domain using NetGuard, an open source firewall for Android (available on F-Droid). Based on profiling on EMUI I saw connection attempts to 1e100 for services such as “Google Backup Transport”, “Google Play services” and “1021” (GPS daemon). I’d have personally blocked this domain sooner but I’ve only been using Android for a few months and only recently became aware of NetGuard.
Avatar John says:
ummm, you guys are still blind, deaf and dumb. The registrant is located in Bluffdale Utah which IS the NSA Data Center. They run everything through the 1e100 as well as Akamai to make it hard for you to block it using wildcard filters. You CAN just block the bluffdale list. And the servers will fallback to other non-nsa servers. This is also why the pentagon and google have got together for delivering data recently.
Avatar helpful_zombie says:
other things than the nsa data center are allowed to be located in bluffdale. for example: my house

they don’t do it to make it hard for you to block, they do it to prevent xss and to assign hostnames to their multiple ip addresses.

source: https://support.google.com/faqs/answer/174717

Avatar androidhacked says:
I wish you had the time to dig deeper a little bit more because markmonitor is not just the registrar of that address (le100.net) but its also rigistered with gstatic which is a intrusive dangerous virus that gets pass any anti virus ware, malware, etc… Detection…. I found out by firefox extensions called no script 10.1. This extension reveals scripts running on websites you look at. I looked up all the websites (scripts) that was running on my pages i was looking at, even key locked pages and gstatic.com will always pop up. I think you was getting close because (le100.net) (gstatic) both registrar is mark monitor who i THINK is descizing or hiding behind being registered to google. My phone is currently hacked by gstatic and i looked up their ip which led me to this page. I tried everything but no antivirus apps can remove this on an android phone. Any suggestions???
Avatar helpful_zombie says:
gstatic isn’t a virus — it’s google’s (notice the g in gstatic) static hosting site for all of their scripts and fonts. (also, markmonitor is just the company that registered gstatic, 1e100, etc. on behalf of google.) 9/10 times the reason you see it on random sites is because it uses fonts, scripts, or CSS styles from google. This is quite common, and is absolutely nothing to be scared of. You can see it on this page too — there’s a reCAPTCHA and some fonts, which are both hosted, at least partly, on gstatic.
Avatar Scott says:
Found this domain in my net logs and it had 2.9GB of data outbound to it in just 1 day. The data was coming from an iPhone connected via WiFi.
Avatar Leo says:
By mass data collection makes it Harder to find the correct information. What it is this 1e100 doesnt represent scientific notion for a Google. Bc e= 2.718
Whst does it mean?
Giving in this situation I know that the integral of e is itself a partial differential operation. Do e= operator of the partial differential in question, with reference yo our initial integral.

Technically speaking GOOGLE COULD HAVE AN INFINITE VOLUME OF SPACE by utilizing this domain name properly. Its what sets an integral to start moving leads to imaginary numbers, Querteronians…..

My best guess is a SUPER WIFIMAXX COMPUTER OR “baby QUANTUM” computer using just Quibits FOR EXTRA COMPUTATIONAL POWER

Avatar no thanks says:
Oh boy, way to go completely down the wrong path. 1e100 is 1*10^100, where “e” is just a convention for scientific notation. It is not related to the mathematical constant “e” that is the base of the natural logarithm.
Avatar Mikael Isaksson says:
Occasionally Fallout 4 crasches when changing area. Everytime that happens, and I don’t know if this is the cause or a respons to the crasch, but every time that happens, steam.exe sends several hundreds of megabyte to an adress such as this. But Fallout just become unresponsive and has to be forcibly shut down.
Avatar Drew says:
Those interested can buy the 1e100.net away from google, it expires on: Registrar Registration Expiration Date: 2019-09-24T22:40:03-0700. Hmmm, I wonder if you could reserve it from the 25th of September and on….. >;)
Avatar no thanks says:
That’s now how this works… there is zero chance they won’t continue to renew the domain.
Avatar Cybershield Cyberguard says:
“ET ATTACK_RESPONSE Microsoft CScript Banner Outbound” being detected to f27.1e100.net and not entirely sure why the sig matches what Google is doing. 1e100.net shows registered to Google but Registrar is markmonitor.com who specializes in brand protection. Curious what is really going on but no time to dig deeper.
Avatar jiamei says:
using ie 11 and no network activity that I can see in network resource monitor
Avatar Tiago Paolini says:
Just in case someone is interested, here is the official satement from Google about this domain:
http://support.google.com/bin/answer.py?hl=en&answer=174717
Avatar Michael says:
> …it’s not spyware or malware. It’s Google…

Well, who says that Google isn’t spying on you anyway. Just because it’s Google doesn’t mean it’s can’t or won’t be used against you.

Avatar Randy says:
They are, Google tracks everything and every site.
Avatar Agua Loca SL says:
found 12 names for the MX servers for ESTAFADORES agualoca.es: TIMO gy-in-f27.1e100.net, alt1.aspmx.l.google.com, bw-in-f27.1e100.net, qy-in-f27.1e100.net, aspmx2.googlemail.com, iw-in-f27.1e100.net, aspmx.l.google.com, pv-in-f27.1e100.net, aspmx3.googlemail.com, aspmx4.googlemail.com, ww-in-f27.1e100.net, and alt2.aspmx.l.google.com. (A single machine may go by more than one hostname. All of them are shown.)
Avatar d0ug says:
you will see that domain when you start firefox… you know.. the default google search page that loads when you first start google?
Avatar Jad says:
Forget Google, try DuckDuckGo. duckduckgo.com
Avatar Biswajit says:
Well why actually google is using 1e100.net for is quite unknown, but i checked out the above link to find out, what is the link between google and 1e100
Avatar Jim Cooper says:
A ‘google’ is the name for the number that is one with 100 zeros… similar to Tera .. and Mega … we’re just not used to dealing with numbers quite that big … YET ..
Avatar mxm says:
You can see the 1e100.net also if you 'ping http://www.google.com'(and of course by using nslookup/dig but that's geeky stuff ;-)
Avatar TechnoShaman says:
PING showed me nothing of the sort. I think you mean to say, “Do a TRACEROUTE”, as in
tracert http://www.google.com
(leave off the http:// stuff, it is not the proper syntax for this)
which for me leads to a series of anonymous servers along the path… rather odd.
For those unfamiliar with this “geeky stuff”, these are DOS-like commands you use in a Command Window in Windows: CMD.EXE followed by TRACERT and the NAME or ADDRESS you wish to inquire about, which does not have to be an http type name or address:
tracert google.com
works just fine (but checks a slightly different address).

Regards, etc.

Avatar no thanks says:
It’s POSIX, not DOS…
Avatar N0ah says:
i'm also getting this for port 993 (i think it's an imap thing or something as i'm usinng google for email hosting and stuff)
Avatar Oliver Slay says:
GoogleMail, Blogger, GTalk … all appear to open connections to 1e100 …
Avatar confi says:
ekrn.exe (nod32 antivirus) keeps connecting to 1e100…

ekrn.exe:296 TCP 192.168.*.*:* 74.125.127.147:80 ESTABLISHED

74.125.127.149 resolves to
“pz-in-f149.1e100.net”
Top Level Domain: “1e100.net”
Country IP Address: UNITED STATES

Avatar Jim Cooper (of course) says:
I wonder who has the job of dreaming up all the sub-domain and sub-sub-domain names to use with 1e100.net … : ))
Avatar helpful_zombie says:
First of all, they’re randomly generated. Second of all, there is no sub-sub domains.
Avatar Nick says:
You’re right that the googol has one hundred zeros but your scientific notation is off. 10*10^100 is 1e101, whereas a googol is 1*10^100 (or just 10^100 or 1e100).
Avatar doesprivacyexist says:
haha Googol. officially it’s caching or attack site verification (a “service”, but personally i think it’s to collect info on habbits… Cheaper then phoning ppl for inquiries and big money it is. Yet nobody hangs up when google is phoning you ;)… Stange. Anyhow if you’re up to it: Best learn about how to get rid of flash cookies and read about unique id’s, afterwards never visit google, youtube, etc… (yes they are the same) Don’t forget to also set search bar to something different then google too if using firefox. Maybe check out http://www.scroogle.org/cgi-bin/scraper.htm :-)

As a final note, I want to mention, if it will not be google, it will be another. Get used to it or don’t use internet

Avatar toddboyle says:
OK thanks for all the information.

Where can I get a utility to BLOCK GOOGLE EVERYTHING?

How hard is that. Sheesh. GIVE ME THE UTILITY.

Avatar DOna says:
SterJo NetStalker will block the connection attempts from the 1e100 remote host unless you update the policy file to mark it acceptable. So far I have not marked this one Accept in the policy file, with no problems being caused that I can detect. NetStalker notifies me of the address that was blocked and I have the option to “resolve host” to see who owns the address. All connections are shown in the daily log and a daily history of GB received and sent and number of blocked attempts. There is a premium version that saves a detailed daily log of connections – or some such additional feature – but I use the freebie. Pretty cool – maybe some people don’t know about it.
Avatar Mel says:
Excellent information….I agree with Jase. Sadly, its becoming harder to stay one step ahead of the unethical.
Avatar Jase says:
is google the new microsoft?

first we had microsft everything, now it’s google everything.

Avatar Rich Menga says:
You are definitely not the first person to say that. :)
Avatar José says:
Microsoft still charges for his operative system / office suit. Still doesn’t release it’d code.
Avatar aaa says:
Neither does Google, and it charges by putting ads everywhere

Leave a Reply

Your email address will not be published. Required fields are marked *


Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.