Re: [AFMUG] Issue with Google

Fri, 19 Jun 2020 09:46:16 -0700

He has an IP address that translates to 700 addresses in his customer base.  He doesn't record sessions.  He doesn't have what's needed to track and individual customer down.   Probably wouldn't matter if he only had 27 customers behind the IP address. 

On 6/19/20 9:37 AM, Mike Hammett wrote:
You have the source IP, port, and time. What more do you need to determine who's doing it? 

I'm assuming you're NATing customers at the router in question.



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
------------------------------------------------------------------------
*From: *"Christopher Tyler" <ch...@totalhighspeed.net>
*To: *"AnimalFarm Microwave Users Group" <af@af.afmug.com>
*Sent: *Friday, June 19, 2020 10:59:30 AM
*Subject: *[AFMUG] Issue with Google


So the other day we got an email (excerpt below) from Google's 
automated tool...


We are seeing automated scraping of Google Web Search from a large
number of your IPs.  Automated scraping violates our /robots.txt file
and also our Terms of Service.  We request that you terminate this
traffic immediately.  Failure to do so may cause your network to be
blocked by our abuse systems.

To allow you to identify the traffic, we are providing a list of
your IPs they used today (Source field), as well as the most common
destination (Google) IP and port and a timestamp of a recent request
(in UTC) to aid in your identification.  Note that this list may not
be exhaustive, and we request that you terminate all such traffic, not
just traffic from IPs in this list.


All of the destination ports (to Google) are either 80 or 443, so they 
at least appear to be legit web traffic on the surface. They are 
obviously spoofed IP address as there are network addresses in the 
list and the IP belongs to a router that doesn't appear to be 
compromised in any way. The initial letter included 700+ IP addresses 
from our network.



It's now affecting our customers as they are now getting Captcha's for 
every couple of Google searches that they perform.



Does anyone know of a good way to track the perpetrator(s) down and/or 
know of a way to mitigate this?


--
Christopher Tyler
Senior Network Engineer
MTCRE/MTCNA/MTCTCE/MTCWE

Total Highspeed Internet Solutions
1091 W. Kathryn Street
Nixa, MO 65714
(417) 851-1107 x. 9002
www.totalhighspeed.com

--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com





-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com






















					Reply via email to