Educause Security Discussion mailing list archives

Re: Google "unusual traffic" captcha

From: Alex Keller <axkeller () STANFORD EDU>
Date: Thu, 10 Sep 2015 17:42:17 +0000

Hi James,

Google has many public facing IPs, so focusing on a single IP isn't going to tell the full story. Filtering on the 
Google ASN or IP range therein would cast a wider net.

The client in question may be performing automated searches using a spelunking app like Search Dignity 
(http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/). Such tools have various throttling 
controls and it is quite possible that it will be difficult to identify by query volume alone (but it is probably worth 
a shot).

Wireshark, tcpdump, etc. are great for troubleshooting issues in real-time, provided you can reliably replicate the 
issue or know it is happening at that moment...But it can be cumbersome if you are trying to monitor network flows for 
a longer period of time and are intending to catch intermittent behavior.

I can recommend Argus for netflow capture (http://qosient.com/argus/), but there are many open source and commercial 
products in this space.

Good luck!
Alex 














Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu
(650)736-6421


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Blackwood, James
Sent: Thursday, September 10, 2015 9:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Google "unusual traffic" captcha

We’ve been getting this off and on for the past couple of days.  I’ve seen it once before a year or two ago but it 
resolved itself.  I get that there must be something on our network that Google has decided is making automated search 
requests which is a violation of their terms of service.  

I created a port monitor on our internet firewall and looked at the traffic destined for 215.58.219.164 (www.google.com 
based on my DNS lookup) using WireShark and see, as expected, a ton of traffic but not necessarily a ton of traffic 
from a single host.  Does anyone have any pointers on what specifically to look for?

Thanks,
James

James Blackwood 
Director of Information Technology
Chief Security Officer
LaGrange College

(706) 880-8050  phone
(706) 880-8055 fax
jblackwood () lagrange edu

601 Broad St., LaGrange, GA 30240
www.lagrange.edu

Current thread:

Google "unusual traffic" captcha Blackwood, James (Sep 10)
- Re: Google "unusual traffic" captcha Alex Keller (Sep 10)
- Re: Google "unusual traffic" captcha Kevin Reedy (Sep 10)
  - Re: Google "unusual traffic" captcha Velislav K Pavlov (Sep 10)
- Re: Google "unusual traffic" captcha Kevin Halgren (Sep 11)
  - Re: Google "unusual traffic" captcha Carson, Larry (Sep 11)