Educause Security Discussion mailing list archives
Re: Google "unusual traffic" captcha
From: Alex Keller <axkeller () STANFORD EDU>
Date: Thu, 10 Sep 2015 17:42:17 +0000
Hi James, Google has many public facing IPs, so focusing on a single IP isn't going to tell the full story. Filtering on the Google ASN or IP range therein would cast a wider net. The client in question may be performing automated searches using a spelunking app like Search Dignity (http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/). Such tools have various throttling controls and it is quite possible that it will be difficult to identify by query volume alone (but it is probably worth a shot). Wireshark, tcpdump, etc. are great for troubleshooting issues in real-time, provided you can reliably replicate the issue or know it is happening at that moment...But it can be cumbersome if you are trying to monitor network flows for a longer period of time and are intending to catch intermittent behavior. I can recommend Argus for netflow capture (http://qosient.com/argus/), but there are many open source and commercial products in this space. Good luck! Alex Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu (650)736-6421 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blackwood, James Sent: Thursday, September 10, 2015 9:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Google "unusual traffic" captcha We’ve been getting this off and on for the past couple of days. I’ve seen it once before a year or two ago but it resolved itself. I get that there must be something on our network that Google has decided is making automated search requests which is a violation of their terms of service. I created a port monitor on our internet firewall and looked at the traffic destined for 215.58.219.164 (www.google.com based on my DNS lookup) using WireShark and see, as expected, a ton of traffic but not necessarily a ton of traffic from a single host. Does anyone have any pointers on what specifically to look for? Thanks, James James Blackwood Director of Information Technology Chief Security Officer LaGrange College (706) 880-8050 phone (706) 880-8055 fax jblackwood () lagrange edu 601 Broad St., LaGrange, GA 30240 www.lagrange.edu
Current thread:
- Google "unusual traffic" captcha Blackwood, James (Sep 10)
- Re: Google "unusual traffic" captcha Alex Keller (Sep 10)
- Re: Google "unusual traffic" captcha Kevin Reedy (Sep 10)
- Re: Google "unusual traffic" captcha Velislav K Pavlov (Sep 10)
- Re: Google "unusual traffic" captcha Kevin Halgren (Sep 11)
- Re: Google "unusual traffic" captcha Carson, Larry (Sep 11)