Re: Stop IPv6 Google traffic

[Damian Menscher via NANOG <nanog () nanog org>]

Sorry to hear your legitimate users are impacted by captchas when trying to
use Google web search.  This can happen when you have significant amounts
of abuse coming from your network.  If switching to IPv4 means having more
users share IPs, it could make the problem worse.  Instead, let's try to
quickly address the IPv6 issue.

Please send me your IP allocation policy (off-list is fine).  For example
(guessing from the list at
http://bgp.he.net/search?search%5Bsearch%5D=netassist&commit=Search):

  - 2a01:d0::/32 is allocated by /48
  - 2a01:d0:8000::/33 is allocated by /56
  - 2001:67c:1874::/48 is allocated by /64
  - ... etc (IPv4 allocation is appreciated as well, if you also provide
customers with large ranges there)

I can then give that hint to our automated abuse systems, which will both
make it easier for us to catch your abusive customers, and also to avoid
over-blocking of your AS.

Damian
-- 
Damian Menscher :: Security Reliability Engineer :: Google :: AS15169

On Sun, Apr 10, 2016 at 7:46 AM, Max Tulyev <maxtul () netassist ua> wrote:

> Every have /56 or /48, depending on type of service. All our /32
> allocation is affacted.
>
> On 10.04.16 17:35, Chuck Anderson wrote:
> > Assign your customers larger v6 prefixes so one customer's bad
> > behavior doesn't affect the others?
> >
> > On Sun, Apr 10, 2016 at 05:27:53PM +0300, Max Tulyev wrote:
> > > The problem is IPv6-enabled customers complaints see captcha, and Google
> > > NOC refuses to help solve it saying like find out some of your customer
> > > violating some of our policy. As you can imagine, this is not possible.
> > >
> > > So, the working solutions is either correctly cut IPv6 to Google, or cut
> > > all IPv6 (which I don't want to do).
> > >
> > > On 10.04.16 17:17, Mike Hammett wrote:
> > > > I think the group wants to know what problem you're trying to solve.
> Obviously if you block something, there will be a timeout in getting to it.
> > > > What is broken that you're trying to fix by blackholing them?
> > > >
> > > >
> > > >
> > > >
> > > > -----
> > > > Mike Hammett
> > > > Intelligent Computing Solutions
> > > > http://www.ics-il.com
> > > >
> > > >
> > > >
> > > > Midwest Internet Exchange
> > > > http://www.midwest-ix.com
> > > >
> > > >
> > > > ----- Original Message -----
> > > >
> > > > From: "Max Tulyev" <maxtul () netassist ua>
> > > > To: nanog () nanog org
> > > > Sent: Sunday, April 10, 2016 9:07:47 AM
> > > > Subject: Re: Stop IPv6 Google traffic
> > > >
> > > > Customers see timeouts if I blackhole Google network. I looking for
> > > > alternatives (other than stop providing IPv6 to customers at all).
> > > >
> > > > On 10.04.16 16:50, Valdis.Kletnieks () vt edu wrote:
> > > > > On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said:
> > > > >
> > > > > > I need to stop IPv6 web traffic going from our customers to Google
> > > > > > without touching all other IPv6 and without blackhole IPv6 Google
> > > > > > network (this case my customers are complaining on long timeouts).
> > > > > >
> > > > > > What can you advice for that?
> > > > >
> > > > > Umm.. fix the reasons why they're seeing timeouts? :)
> > > > >
> > > > > Have you determined why the timeouts are happening?