It is a Mikrotik router. Nothing appears to be out of the ordinary. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE
Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com ----- Original Message ----- > From: "Ken Hohhof" <af...@kwisp.com> > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > Sent: Friday, June 19, 2020 11:53:21 AM > Subject: Re: [AFMUG] Issue with Google > Normally you can't spoof source addresses for TCP connections, the return > traffic would go to the real IP, unless there's some exotic BCP hijack > involved. > > Are you sure that your router has not been compromised and a proxy server > installed? Like SOCKS if it's a Mikrotik? > > -----Original Message----- > From: AF <af-boun...@af.afmug.com> On Behalf Of Christopher Tyler > Sent: Friday, June 19, 2020 11:46 AM > To: AnimalFarm Microwave Users Group <af@af.afmug.com> > Subject: Re: [AFMUG] Issue with Google > > Yes, NAT is in play here, I just now increased the NAT pool to 128 addresses > based on TJ's theory that the NAT pool might be too small. > > The source IP's seem to be spoofed or proxied somehow as the first IP > address in the list from Google is our ARIN /20 Network address (x.x.0.0) > and I find it hard to believe that our gateway router is scraping Google for > content. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > ----- Original Message ----- >> From: "afmug" <af...@ics-il.net> >> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >> Sent: Friday, June 19, 2020 11:37:58 AM >> Subject: Re: [AFMUG] Issue with Google > >> You have the source IP, port, and time. What more do you need to >> determine who's doing it? >> >> I'm assuming you're NATing customers at the router in question. >> >> >> >> ----- >> Mike Hammett >> [ http://www.ics-il.com/ | Intelligent Computing Solutions ] [ >> https://www.facebook.com/ICSIL ] [ >> https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ >> https://www.linkedin.com/company/intelligent-computing-solutions ] [ >> https://twitter.com/ICSIL ] [ http://www.midwest-ix.com/ | Midwest >> Internet Exchange ] [ https://www.facebook.com/mdwestix ] [ >> https://www.linkedin.com/company/midwest-internet-exchange ] [ >> https://twitter.com/mdwestix ] [ http://www.thebrotherswisp.com/ | The >> Brothers WISP ] [ https://www.facebook.com/thebrotherswisp ] [ >> https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] >> >> From: "Christopher Tyler" <ch...@totalhighspeed.net> >> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >> Sent: Friday, June 19, 2020 10:59:30 AM >> Subject: [AFMUG] Issue with Google >> >> So the other day we got an email (excerpt below) from Google's automated > tool... >> >> We are seeing automated scraping of Google Web Search from a large >> number of your IPs. Automated scraping violates our /robots.txt file >> and also our Terms of Service. We request that you terminate this >> traffic immediately. Failure to do so may cause your network to be >> blocked by our abuse systems. >> >> To allow you to identify the traffic, we are providing a list of your >> IPs they used today (Source field), as well as the most common >> destination (Google) IP and port and a timestamp of a recent request >> (in UTC) to aid in your identification. Note that this list may not be >> exhaustive, and we request that you terminate all such traffic, not >> just traffic from IPs in this list. >> >> All of the destination ports (to Google) are either 80 or 443, so they >> at least appear to be legit web traffic on the surface. They are >> obviously spoofed IP address as there are network addresses in the >> list and the IP belongs to a router that doesn't appear to be >> compromised in any way. The initial letter included 700+ IP addresses from > our network. >> >> It's now affecting our customers as they are now getting Captcha's for >> every couple of Google searches that they perform. >> >> Does anyone know of a good way to track the perpetrator(s) down and/or >> know of a way to mitigate this? >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> www.totalhighspeed.com >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com