4

We are a small Internet provider. In order to get Internet access we are using NAT (10-20 users per one public IP). And lately we've met with Google blocking services (captcha and full block) and we were unable to find a proper solution for our users. Unfortunately we couldn't find any official recommendations and instructions from Google, explaining how an ISP administrator may solve the problem. All that we've managed to find was possible causes of the blocking and methods that may be used by our clients. But we would like to have an opportunity to fix this problem globally and save our clients from the trouble of having to deal with it on their own.

The first idea is to capture packets from users with destination IP google.com (and your local Google domain). If something on a users PC is flooding Google then they generate many packets.

Example:

# Find google.com IP
$ host google.com
google.com has address 216.58.209.206
# local google.com.ua has ip in the same network 216.58.209.0/24

# Capture 50k packets with google IP dst
$ sudo tcpdump -i eth0 -nn dst net 216.58.209.0/24 -c 50000 > /tmp/dump.txt
# Parse dump file and find top 10 users
$ cat /tmp/dump.txt | awk '{print $3}' | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -r -n | head

    528 172.30.138.128
    473 172.30.137.173
    382 172.30.138.117
    334 172.30.138.34
    312 172.30.137.211
    227 172.30.136.50
    204 172.30.138.220
    192 172.30.139.34
    170 172.30.137.217
    154 172.30.138.96

But this method doesn't work properly. It gives random results, seems like a normal user work. In forums I found information that Google system has a difficult unusual traffic detection algorithm based on what exactly you searching on the google.

Maybe someone has solved this problem? Or you know how it can be solved? How can I find unusual traffic coming to Google on my Linux gateway?

Konrad Gajewski
  • 1,498
  • 3
  • 15
  • 29
Alex
  • 231
  • 2
  • 4
  • 2
    Let me introduce you to my friend IPv6. :) Seriously, all of Google's service are available via v6. Get yourself a v6 allocation and stop using NAT for your users. This will solve your problem. – EEAA Sep 09 '15 at 16:55
  • google.com doesn't have one single IP, it's distributed around. And Google services are quite integrated, it might (plausibly) not be traffic to google.com which causes the captcha, but traffic to some other Google service. – TessellatingHeckler Sep 09 '15 at 16:59
  • @EEAA Yes, we think about it. – Alex Sep 09 '15 at 17:01
  • @TessellatingHeckler Yesterday nslookup show me 8 IPs, today only one. I know that google use CDN and something like round-robin but it provides IP from one /24 network. – Alex Sep 09 '15 at 17:08
  • Something like [ntopng](http://www.ntop.org/products/traffic-analysis/ntop/) will get you much further in traffic analysis than `tcpdump` and `awk`. Kudos for the effort, though. – Aaron Copley Sep 09 '15 at 17:22
  • You should have already deployed IPv6 to your customers, _before_ deploying large-scale NAT. With IPv6, everyone will access Google via IPv6 and with unique addresses. – Michael Hampton Sep 09 '15 at 20:45
  • @AaronCopley I tried it, but it not for high load linux gateways (I have a lot of drop packets), for small network is OK. – Alex Sep 12 '15 at 19:19

1 Answers1

0

By personal experience this is an issue concerning too many (legitimate or not) requests coming from one single IP.
This also happens to tor exit nodes.
Go single address (i know, unlikely) or even better start providing proper IPv6 connectivity and the problems for the legitimate users will go away.

ppparadox
  • 131
  • 1
  • 1
  • 5