Pretty sure that we traced it back to DiviNetworks. They are supposed to use spare bandwidth to pseudonymously originate web requests. They use our IP addresses and in theory they are supposed to do this without disturbing our customers and only access web sites whose owners have contracted them to do so, generally to test connectivity.
We are currently in communication with them to get it fixed. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com ----- Original Message ----- > From: "Chris Tyler" <ch...@totalhighspeed.net> > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > Sent: Friday, June 19, 2020 12:23:22 PM > Subject: Re: [AFMUG] Issue with Google > No we are not pre-defining blocks at this time, I will look at implementing > that, thank you. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > ----- Original Message ----- >> From: "afmug" <af...@ics-il.net> >> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >> Sent: Friday, June 19, 2020 12:12:38 PM >> Subject: Re: [AFMUG] Issue with Google > >> Are you pre-defining blocks, though? >> >> Inside IP Outside IP/Port range >> 100.64.1.1 2.2.2.2:2000-2099 >> 100.64.1.2 2.2.2.2:2100-2199 >> 100.64.1.3 2.2.2.2:2200-2299 >> I'd do more than 100 ports, but table is just meant to express the concept. >> >> Then you ALWAYS know IP:port to internal IP matching, without having to track >> anything. >> >> >> >> ----- >> Mike Hammett >> [ http://www.ics-il.com/ | Intelligent Computing Solutions ] >> [ https://www.facebook.com/ICSIL ] [ >> https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ >> https://www.linkedin.com/company/intelligent-computing-solutions ] [ >> https://twitter.com/ICSIL ] >> [ http://www.midwest-ix.com/ | Midwest Internet Exchange ] >> [ https://www.facebook.com/mdwestix ] [ >> https://www.linkedin.com/company/midwest-internet-exchange ] [ >> https://twitter.com/mdwestix ] >> [ http://www.thebrotherswisp.com/ | The Brothers WISP ] >> [ https://www.facebook.com/thebrotherswisp ] [ >> https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] >> >> From: "Christopher Tyler" <ch...@totalhighspeed.net> >> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >> Sent: Friday, June 19, 2020 12:07:55 PM >> Subject: Re: [AFMUG] Issue with Google >> >> That is how we are doing it for the most part. We still have a lot of old >> 172.16.0.0/12 addresses that need to be converted to 100.64.0.0/10. We have >> been and still are steadily working towards that goal though. >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> www.totalhighspeed.com >> >> ----- Original Message ----- >>> From: "afmug" <af...@ics-il.net> >>> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >>> Sent: Friday, June 19, 2020 12:00:18 PM >>> Subject: Re: [AFMUG] Issue with Google >> >>> If you're NATing multiple customers behind a single IP address, do it this >>> way: >>> >>> >>> [ >>> https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444 >>> | >>> https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444 >>> ] >>> >>> >>> >>> ----- >>> Mike Hammett >>> [ http://www.ics-il.com/ | Intelligent Computing Solutions ] >>> [ https://www.facebook.com/ICSIL ] [ >>> https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ >>> https://www.linkedin.com/company/intelligent-computing-solutions ] [ >>> https://twitter.com/ICSIL ] >>> [ http://www.midwest-ix.com/ | Midwest Internet Exchange ] >>> [ https://www.facebook.com/mdwestix ] [ >>> https://www.linkedin.com/company/midwest-internet-exchange ] [ >>> https://twitter.com/mdwestix ] >>> [ http://www.thebrotherswisp.com/ | The Brothers WISP ] >>> [ https://www.facebook.com/thebrotherswisp ] [ >>> https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] >>> >>> From: "Christopher Tyler" <ch...@totalhighspeed.net> >>> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >>> Sent: Friday, June 19, 2020 11:46:07 AM >>> Subject: Re: [AFMUG] Issue with Google >>> >>> Yes, NAT is in play here, I just now increased the NAT pool to 128 addresses >>> based on TJ's theory that the NAT pool might be too small. >>> >>> The source IP's seem to be spoofed or proxied somehow as the first IP >>> address in >>> the list from Google is our ARIN /20 Network address (x.x.0.0) and I find it >>> hard to believe that our gateway router is scraping Google for content. >>> >>> -- >>> Christopher Tyler >>> Senior Network Engineer >>> MTCRE/MTCNA/MTCTCE/MTCWE >>> >>> Total Highspeed Internet Solutions >>> 1091 W. Kathryn Street >>> Nixa, MO 65714 >>> (417) 851-1107 x. 9002 >>> www.totalhighspeed.com >>> >>> ----- Original Message ----- >>>> From: "afmug" <af...@ics-il.net> >>>> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >>>> Sent: Friday, June 19, 2020 11:37:58 AM >>>> Subject: Re: [AFMUG] Issue with Google >>> >>>> You have the source IP, port, and time. What more do you need to determine >>>> who's >>>> doing it? >>>> >>>> I'm assuming you're NATing customers at the router in question. >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> [ http://www.ics-il.com/ | Intelligent Computing Solutions ] >>>> [ https://www.facebook.com/ICSIL ] [ >>>> https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ >>>> https://www.linkedin.com/company/intelligent-computing-solutions ] [ >>>> https://twitter.com/ICSIL ] >>>> [ http://www.midwest-ix.com/ | Midwest Internet Exchange ] >>>> [ https://www.facebook.com/mdwestix ] [ >>>> https://www.linkedin.com/company/midwest-internet-exchange ] [ >>>> https://twitter.com/mdwestix ] >>>> [ http://www.thebrotherswisp.com/ | The Brothers WISP ] >>>> [ https://www.facebook.com/thebrotherswisp ] [ >>>> https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] >>>> >>>> From: "Christopher Tyler" <ch...@totalhighspeed.net> >>>> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >>>> Sent: Friday, June 19, 2020 10:59:30 AM >>>> Subject: [AFMUG] Issue with Google >>>> >>>> So the other day we got an email (excerpt below) from Google's automated >>>> tool... >>>> >>>> We are seeing automated scraping of Google Web Search from a large >>>> number of your IPs. Automated scraping violates our /robots.txt file >>>> and also our Terms of Service. We request that you terminate this >>>> traffic immediately. Failure to do so may cause your network to be >>>> blocked by our abuse systems. >>>> >>>> To allow you to identify the traffic, we are providing a list of >>>> your IPs they used today (Source field), as well as the most common >>>> destination (Google) IP and port and a timestamp of a recent request >>>> (in UTC) to aid in your identification. Note that this list may not >>>> be exhaustive, and we request that you terminate all such traffic, not >>>> just traffic from IPs in this list. >>>> >>>> All of the destination ports (to Google) are either 80 or 443, so they at >>>> least >>>> appear to be legit web traffic on the surface. They are obviously spoofed >>>> IP >>>> address as there are network addresses in the list and the IP belongs to a >>>> router that doesn't appear to be compromised in any way. The initial letter >>>> included 700+ IP addresses from our network. >>>> >>>> It's now affecting our customers as they are now getting Captcha's for >>>> every >>>> couple of Google searches that they perform. >>>> >>>> Does anyone know of a good way to track the perpetrator(s) down and/or >>>> know of a >>>> way to mitigate this? >>>> >>>> -- >>>> Christopher Tyler >>>> Senior Network Engineer >>>> MTCRE/MTCNA/MTCTCE/MTCWE >>>> >>>> Total Highspeed Internet Solutions >>>> 1091 W. Kathryn Street >>>> Nixa, MO 65714 >>>> (417) 851-1107 x. 9002 >>>> www.totalhighspeed.com >>>> >>>> -- >>>> AF mailing list >>>> AF@af.afmug.com >>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>>> >>>> >>>> -- >>>> AF mailing list >>>> AF@af.afmug.com >>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>> >>> -- >>> AF mailing list >>> AF@af.afmug.com >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>> >>> >>> -- >>> AF mailing list >>> AF@af.afmug.com >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
