27

While analysing a DDoS attack on my site using CloudFlare console, I've noticed that many attack requests come from AS139190 GOOGLE-AS-AP Google Asia Pacific Pte. Ltd. with Empty user agent.

I'm wondering how Google is exploited to attack my site?

Rodrigo de Azevedo
  • 242
  • 2
  • 13
blnks
  • 383
  • 2
  • 7

2 Answers2

54

Most likely someone using Google's Cloud Platform (GCP). They have a page here where you can report abuse on their platform.

Dan
  • 619
  • 2
  • 7
  • Thanks for the tip. I've submitted a report. However I'm wondering do they actually investigate? And what Google does with attacking IPs? – blnks Oct 25 '21 at 19:09
  • 15
    Yes, Google definitely investigates abuses cases, though I can't say how many of the reports turn into investigations. They will look into it and if they determine there was abuse, they will most likely terminate the account that spun up the infrastructure used. The IP itself belongs to a large pool that Google controls and will be given back out to another customer when and if the current user is terminated. – Dan Oct 25 '21 at 19:15
  • 1
    @blnks: If you want to try and block the attack server side, you may find [this information](https://cloud.google.com/compute/docs/faq#find_ip_range) useful as well. – Kevin Oct 26 '21 at 03:41
  • 7
    Google would most likely involve some level of machine learning to deal with abuse so your reports will actually make their automated system better, even if no investigation happens. One way or another it'll address the issue better than ignoring it. – Nelson Oct 26 '21 at 03:51
  • 33
    @blnks People running DDoS attacks via cloud computing providers like GCP rarely intend to pay for those resources they use. Either because they hack into badly secured VMs of paying customers or because they pay using stolen credit card numbers. It's in Google's interest to stop these, because they result in disputed charges, which in turn either mean lost income or human hours being used to resolve those disputes. – Philipp Oct 26 '21 at 12:43
3

If it really is a DDoS and not a malfunctioning script Google side, I can hazard a guess that it may come from Google cloud services provided to a client.

David Min
  • 162
  • 6