No we are not pre-defining blocks at this time, I will look at implementing that, thank you.
-- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com ----- Original Message ----- > From: "afmug" <af...@ics-il.net> > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > Sent: Friday, June 19, 2020 12:12:38 PM > Subject: Re: [AFMUG] Issue with Google > Are you pre-defining blocks, though? > > Inside IP Outside IP/Port range > 100.64.1.1 2.2.2.2:2000-2099 > 100.64.1.2 2.2.2.2:2100-2199 > 100.64.1.3 2.2.2.2:2200-2299 > I'd do more than 100 ports, but table is just meant to express the concept. > > Then you ALWAYS know IP:port to internal IP matching, without having to track > anything. > > > > ----- > Mike Hammett > [ http://www.ics-il.com/ | Intelligent Computing Solutions ] > [ https://www.facebook.com/ICSIL ] [ > https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ > https://www.linkedin.com/company/intelligent-computing-solutions ] [ > https://twitter.com/ICSIL ] > [ http://www.midwest-ix.com/ | Midwest Internet Exchange ] > [ https://www.facebook.com/mdwestix ] [ > https://www.linkedin.com/company/midwest-internet-exchange ] [ > https://twitter.com/mdwestix ] > [ http://www.thebrotherswisp.com/ | The Brothers WISP ] > [ https://www.facebook.com/thebrotherswisp ] [ > https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] > > From: "Christopher Tyler" <ch...@totalhighspeed.net> > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > Sent: Friday, June 19, 2020 12:07:55 PM > Subject: Re: [AFMUG] Issue with Google > > That is how we are doing it for the most part. We still have a lot of old > 172.16.0.0/12 addresses that need to be converted to 100.64.0.0/10. We have > been and still are steadily working towards that goal though. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > ----- Original Message ----- >> From: "afmug" <af...@ics-il.net> >> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >> Sent: Friday, June 19, 2020 12:00:18 PM >> Subject: Re: [AFMUG] Issue with Google > >> If you're NATing multiple customers behind a single IP address, do it this >> way: >> >> >> [ >> https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444 >> | >> https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444 >> ] >> >> >> >> ----- >> Mike Hammett >> [ http://www.ics-il.com/ | Intelligent Computing Solutions ] >> [ https://www.facebook.com/ICSIL ] [ >> https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ >> https://www.linkedin.com/company/intelligent-computing-solutions ] [ >> https://twitter.com/ICSIL ] >> [ http://www.midwest-ix.com/ | Midwest Internet Exchange ] >> [ https://www.facebook.com/mdwestix ] [ >> https://www.linkedin.com/company/midwest-internet-exchange ] [ >> https://twitter.com/mdwestix ] >> [ http://www.thebrotherswisp.com/ | The Brothers WISP ] >> [ https://www.facebook.com/thebrotherswisp ] [ >> https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] >> >> From: "Christopher Tyler" <ch...@totalhighspeed.net> >> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >> Sent: Friday, June 19, 2020 11:46:07 AM >> Subject: Re: [AFMUG] Issue with Google >> >> Yes, NAT is in play here, I just now increased the NAT pool to 128 addresses >> based on TJ's theory that the NAT pool might be too small. >> >> The source IP's seem to be spoofed or proxied somehow as the first IP >> address in >> the list from Google is our ARIN /20 Network address (x.x.0.0) and I find it >> hard to believe that our gateway router is scraping Google for content. >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> www.totalhighspeed.com >> >> ----- Original Message ----- >>> From: "afmug" <af...@ics-il.net> >>> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >>> Sent: Friday, June 19, 2020 11:37:58 AM >>> Subject: Re: [AFMUG] Issue with Google >> >>> You have the source IP, port, and time. What more do you need to determine >>> who's >>> doing it? >>> >>> I'm assuming you're NATing customers at the router in question. >>> >>> >>> >>> ----- >>> Mike Hammett >>> [ http://www.ics-il.com/ | Intelligent Computing Solutions ] >>> [ https://www.facebook.com/ICSIL ] [ >>> https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ >>> https://www.linkedin.com/company/intelligent-computing-solutions ] [ >>> https://twitter.com/ICSIL ] >>> [ http://www.midwest-ix.com/ | Midwest Internet Exchange ] >>> [ https://www.facebook.com/mdwestix ] [ >>> https://www.linkedin.com/company/midwest-internet-exchange ] [ >>> https://twitter.com/mdwestix ] >>> [ http://www.thebrotherswisp.com/ | The Brothers WISP ] >>> [ https://www.facebook.com/thebrotherswisp ] [ >>> https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] >>> >>> From: "Christopher Tyler" <ch...@totalhighspeed.net> >>> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >>> Sent: Friday, June 19, 2020 10:59:30 AM >>> Subject: [AFMUG] Issue with Google >>> >>> So the other day we got an email (excerpt below) from Google's automated >>> tool... >>> >>> We are seeing automated scraping of Google Web Search from a large >>> number of your IPs. Automated scraping violates our /robots.txt file >>> and also our Terms of Service. We request that you terminate this >>> traffic immediately. Failure to do so may cause your network to be >>> blocked by our abuse systems. >>> >>> To allow you to identify the traffic, we are providing a list of >>> your IPs they used today (Source field), as well as the most common >>> destination (Google) IP and port and a timestamp of a recent request >>> (in UTC) to aid in your identification. Note that this list may not >>> be exhaustive, and we request that you terminate all such traffic, not >>> just traffic from IPs in this list. >>> >>> All of the destination ports (to Google) are either 80 or 443, so they at >>> least >>> appear to be legit web traffic on the surface. They are obviously spoofed IP >>> address as there are network addresses in the list and the IP belongs to a >>> router that doesn't appear to be compromised in any way. The initial letter >>> included 700+ IP addresses from our network. >>> >>> It's now affecting our customers as they are now getting Captcha's for every >>> couple of Google searches that they perform. >>> >>> Does anyone know of a good way to track the perpetrator(s) down and/or know >>> of a >>> way to mitigate this? >>> >>> -- >>> Christopher Tyler >>> Senior Network Engineer >>> MTCRE/MTCNA/MTCTCE/MTCWE >>> >>> Total Highspeed Internet Solutions >>> 1091 W. Kathryn Street >>> Nixa, MO 65714 >>> (417) 851-1107 x. 9002 >>> www.totalhighspeed.com >>> >>> -- >>> AF mailing list >>> AF@af.afmug.com >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>> >>> >>> -- >>> AF mailing list >>> AF@af.afmug.com >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
