2

My server is being hit with thousands of connection requests per second from 74.125.170.60. I looked the IP address up on ARIN, and it's in a Google address block.

You searched for: 74.125.170.60

Network
Net Range           74.125.0.0 - 74.125.255.255
CIDR                74.125.0.0/16
Name                GOOGLE
Handle              NET-74-125-0-0-1
Parent              NET74 (NET-74-0-0-0-0)
Net Type            Direct Allocation
Origin AS        
Organization        Google Inc. (GOGL)
Registration Date   2007-03-13
Last Updated        2012-02-24
Comments        
RESTful Link        https://whois.arin.net/rest/net/NET-74-125-0-0-1
See Also            Related organization's POC records.
See Also            Related delegations.

From the ARIN page:

Point of Contact
Name               Abuse
Handle             ABUSE5250-ARIN
Company            Google Inc.
Street             1600 Amphitheatre Parkway
City               Mountain View
State/Province     CA
Postal Code        94043
Country            US
Registration Date  2015-11-06
Last Updated       2016-11-08
Comments           Please note that the recommended way to file abuse complaints are located in the following links.

                   To report abuse and illegal activity: https://www.google.com/intl/en_US/goodtoknow/online-safety/reporting-abuse/

                   For legal requests: http://support.google.com/legal

                   Regards,
                   The Google Team
Phone              +1-650-253-0000 (Office)
Email              network-abuse@google.com
RESTful Link       https://whois.arin.net/rest/poc/ABUSE5250-ARIN

I tried going to the indicated URL and got a 404 error. I tried calling the phone number and got a boppy voice saying "our offices are closed now, try reaching us through the Web."

I've sent email to network-abuse@google.com and got no response. I tried attaching a log file (9.4MB from a filtered tcpdump output for about a minute, bzip2 compressed to 719K), and Google's servers refused to accept the email.

I tried calling Verizon (my ISP) and after half an hour on the phone with their "tech support" person, all they could suggest was trying to block the traffic at my router, which isn't any better than blocking it with the firewall on my server as I'm already doing. I tried to tell the "tech support" person that I need to speak to someone in their NOC, but after she put me on hold and came back again, she was saying "we can tell you how to contact your router manufacturer..."

Is there a way for me to reach someone at the Internet IP layer who can block this traffic?

Is there an effective way for me to reach someone at Google who can take the attacking server offline?

Isn't Google supposed to have current and correct information in their records on ARIN?

EDIT

I used tcpdump | grep "74.125.170.60" > ~/history/2017-08-18.74.125.170.60.attack.tcpdump for a short time to create a log file during the attack. All of the entries were either targeted at one specific domain, which I have redacted to example.com, or to the server itself (Dreamer). Here are the first lines of the file:

00:35:47.900785 IP 74.125.170.60.60032 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.902549 IP 74.125.170.60.42109 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.903630 IP 74.125.170.60.25048 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.903702 IP 74.125.170.60.3412 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.904296 IP 74.125.170.60.35736 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.905065 IP 74.125.170.60.59975 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.905280 IP 74.125.170.60.38738 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.906168 IP 74.125.170.60.38518 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.907055 IP 74.125.170.60.rmc > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.908191 IP 74.125.170.60.35290 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.908845 IP 74.125.170.60.16059 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.908938 IP 74.125.170.60.40717 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.909064 IP 74.125.170.60.48521 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.909359 IP 74.125.170.60.42772 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.909526 IP 74.125.170.60.61289 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.909598 IP 74.125.170.60.340 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.909600 IP 74.125.170.60.31228 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.909974 IP 74.125.170.60.28242 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.910306 IP 74.125.170.60.36920 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.910974 IP 74.125.170.60.44033 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.911100 IP 74.125.170.60.63473 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.911695 IP 74.125.170.60.54654 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.912019 IP 74.125.170.60.32781 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.912101 IP 74.125.170.60.20249 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.912741 IP 74.125.170.60.16639 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.913240 IP 74.125.170.60.7023 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.913364 IP 74.125.170.60.20280 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.913546 IP 74.125.170.60.58903 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.913616 IP 74.125.170.60.18014 > Dreamer.domain: 1+ TXT? github.com. (28)
00:35:47.914039 IP 74.125.170.60.32919 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.914293 IP 74.125.170.60.63457 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.915976 IP 74.125.170.60.39601 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.916640 IP 74.125.170.60.7574 > example.com.domain: 1+ TXT? github.com. (28)
00:35:47.916711 IP 74.125.170.60.6825 > Dreamer.domain: 1+ TXT? github.com. (28)

and the last lines:

00:37:40.604887 IP 74.125.170.60.35576 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.605636 IP 74.125.170.60.100 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.605708 IP 74.125.170.60.15556 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.606242 IP 74.125.170.60.37610 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.607702 IP 74.125.170.60.33095 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.608644 IP 74.125.170.60.3311 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.610756 IP 74.125.170.60.25304 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.611034 IP 74.125.170.60.50931 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.611152 IP 74.125.170.60.38218 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.611731 IP 74.125.170.60.2596 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.612352 IP 74.125.170.60.35744 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.613339 IP 74.125.170.60.5825 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.615193 IP 74.125.170.60.10612 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.615872 IP 74.125.170.60.57806 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.616334 IP 74.125.170.60.25388 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.616438 IP 74.125.170.60.55827 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.616948 IP 74.125.170.60.35459 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.617421 IP 74.125.170.60.38407 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.618087 IP 74.125.170.60.18918 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.618260 IP 74.125.170.60.9969 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.618332 IP 74.125.170.60.65190 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.618333 IP 74.125.170.60.6016 > example.com.domain: 1+ TXT? github.com. (28)
00:37:40.618674 IP 74.125.170.60.37720 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.621551 IP 74.125.170.60.55976 > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.621810 IP 74.125.170.60.mac-srvr-admin > Dreamer.domain: 1+ TXT? github.com. (28)
00:37:40.623893 IP 74.125.170.60.7383 > Dreamer.domain: 1+ TXT? github.com. (28)

I did a line count on the file:

wc -l 2017-08-18.74.125.170.60.attack.tcpdump
  111894 2017-08-18.74.125.170.60.attack.tcpdump

As you can see, 111,894 hits occurred during the 112.723108 seconds the file was being written to, which is an average of approximately 992.645 hits per second. I discovered the problem approximately 11:25pm EDT, and it was still going at about 5:15am when I fell over from exhaustion. I have no reason to believe this rate was going up or down, which means my server was being pounded on approximately 21 million times during the nearly six hour interval while I was watching it.

When I got back to my server some hours later, the attack had stopped. I did not get any form of reply or acknowledgement from the email I had sent to network-abuse@google.com so I have no idea if Google did something to stop it or if it just went away on its own. I suspect what happened is someone set up a "rogue device" within the Google Cloud service to conduct the attack. How and why it stopped, though, is completely unclear, given the absolute dearth of feedback from the provider.

I am appalled that an attack like this can be set up and run without recourse because there is no communications channel available for reporting such problems, either at the source or on the network between there and here.

FKEinternet
  • 291
  • 2
  • 4
  • 10
  • No solution from me, just chiming in that we're having the same problem. – Matthew FitzGerald-Chamberlain Aug 18 '17 at 14:35
  • I'd like to know who downvoted this question, or more importantly, *why* – FKEinternet Aug 18 '17 at 20:59
  • 1
    By philosophy and design votes are anonymous and **neither voting [up](//serverfault.com/help/privileges/vote-up) nor voting [down](//$SITEURL/help/privileges/vote-down) requires any mandatory explanation**. The tooltip that appears when your mouse pointer hoovers over the down button states: *"this question does not show any research effort; it is unclear or not useful"*. Also questions can attract a down vote when not [well written](http://meta.serverfault.com/a/3609/37681), not quite [on-topic](http://serverfault.com/help/on-topic) or missing details. – Jenny D Aug 19 '17 at 11:35
  • Unfortunately this question, while of obvious interest to many systems administrators, is still not a good fit for ServerFault. If you were asking about how to configure your **own** systems to mitigate the issue, you'd be on topic - but abuse issues with systems not controlled by you aren't. (As it happens, I do know someone at Google and have reached out to them. If you drop in to [the site chat room](https://chat.stackexchange.com/rooms/127/the-comms-room) I'll let you know if/when I get a response.) – Jenny D Aug 19 '17 at 11:37
  • @JennyD I wasn't sure if this was the right forum to ask this question, but I also didn't know of a better one. Do you have a suggestion in that regard? – FKEinternet Aug 19 '17 at 17:03
  • I'm afraid I don't know any better one directly. You might search through e.g. [Bugtraq](http://seclists.org/bugtraq/); there might be some better information. My usual standby abuse.net only gives `abuse@google.com` which you've already tried. There is also security.stackexchange.com - but again, this question might be closed as off-topic since they too are focused on your protecting your stuff rather than reporting someone else's. But maybe the chat room for that site might have some info. – Jenny D Aug 19 '17 at 17:15

1 Answers1

-1

Report abuse and illegal activity You can report a Google Site if you think it violates one or more of their Program Policies

https://support.google.com/legal/troubleshooter/1114905?rd%3D2#ts%3D1115658,1115699&ts=1115658

BradyM
  • 13
  • 3
  • 1
    This attack isn't originating at a Google *site*, it's being done by a machine attached to Google's network - and it's still going on, more than 5 hours after I discovered it. – FKEinternet Aug 18 '17 at 08:33
  • Web sites are OSI layer 7, this attack is somewhere around 4 or 5, and I have my firewall blocking it at layer 3. – FKEinternet Aug 18 '17 at 08:42