RE: Google's "unusual traffic" notification

[Templin, Fred L]

Hi John,

If you suspect an ISATAP problem, I would like to understand it better because
I am not aware of any outstanding issues. Also, please refer to RFC6964 which
gives: "Operational Guidance for IPv6 Deployment in IPv4 Sites Using the 
Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP)".

Thanks - Fred


From: Brzozowski, John Jason [mailto:j...@jjmb.com]
Sent: Wednesday, July 24, 2013 6:17 PM
To: Templin, Fred L
Cc: Tore Anderson; ipv6-ops@lists.cluenet.de
Subject: RE: Google's "unusual traffic" notification


My case was ISATAP related. Perhaps specific to my deployment.
On Jul 24, 2013 1:52 PM, "Templin, Fred L" 
mailto:fred.l.temp...@boeing.com>> wrote:
Hi John - are saying that you are suspecting an ISATAP problem?

Thanks - Fred

From: 
ipv6-ops-bounces+fred.l.templin=boeing@lists.cluenet.de<mailto:boeing@lists.cluenet.de>
 
[mailto:ipv6-ops-bounces+fred.l.templin<mailto:ipv6-ops-bounces%2Bfred.l.templin>=boeing@lists.cluenet.de<mailto:boeing@lists.cluenet.de>]
 On Behalf Of Brzozowski, John Jason
Sent: Wednesday, July 24, 2013 10:27 AM
To: Tore Anderson
Cc: ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>
Subject: Re: Google's "unusual traffic" notification

We have seen this in the past from corporate desktop blocks used for ISATAP.  I 
found this to be strange.  Note I have not seen this for some time.

John

Re: Google's "unusual traffic" notification

[gall]

On Thu, 25 Jul 2013 10:31:21 +0900, Erik Kline  said:

> On 24 July 2013 18:51,   wrote:
>> On Wed, 24 Jul 2013 10:27:20 +0200, Philipp Kern  said:
>> 
>>> On 2013-07-24 10:05, g...@switch.ch wrote:
 A customer reported to us that many of his users have been getting the
 "Our systems have detected unusual traffic from your computer network"
 message from Google since last week.  Apparently, this is only
 happening for IPv6, which makes me suspect that there is some kind of
 glitch with Google's technique for detecting what they believe is
 automated traffic.
>> 
>>> I presume it's per IP block, so it's not at all surprising that it
>>> "happens only for IPv6". So are you sure that there's no automated
>>> traffic happening? (Netflow should/might tell you that.)
>> 
>> This is not easy to find out without knowing what pattern to look for
>> (threshold, block size) and which time period to check (depends on how
>> long a block remains banned, which I don't know either).
>> 
>> >From past experience, I have developped a reflex to suspect that
>> something is not working as inteded when "it only happens with IPv6"
>> :/ That's why I try to find out if that could be the case here before
>> pursuing other options.  Call it a hunch.
>> 
>> If anybody from Google is listening (Lorenzo?), maybe they could check
>> for me if and why something in 2001:620:610::/48 is banned.

> FWIW, it seems this is basically working as intended.  (I'll follow up
> with you, unicast, for more detail.)

Thanks, much appreciated!  I feel like there are some general issues
here that are of interest to this list, though they are probably not
actually specific to IPv6.

People are obviously having a hard time to get information about why
they are being blocked. On
,
it says:

  If the problem persists, your network administrator should contact
  us

So, how do I contact "you", Google?  This is simply a dead end.  I
have also already stated (and others have confirmed it) that
 is a black hole.

On a more technical note, I'd like to know

  - how "abuse" is measured

  - the size of the address range that's being blocked due to abuse
from a single address and how this is done for IPv4 and IPv6

  - how long it takes for a ban to expire

There really needs to be a way for us operators to get enough
information to understand what's going on.  It's cool to have people
respond on a list like this, but Erik doesn't scale ;)

In our case, there appears to have been abuse from 3 (three)
addresses, which has caused pain for a substantial number of users.
This looks excessive to me, but there is really no way for me to tell
with the little information I have.

-- 
Alex

RE: Google's "unusual traffic" notification

[Brzozowski, John Jason]

My case was ISATAP related. Perhaps specific to my deployment.
On Jul 24, 2013 1:52 PM, "Templin, Fred L" 
wrote:

>  Hi John - are saying that you are suspecting an ISATAP problem?
>
> ** **
>
> Thanks - Fred
>
> ** **
>
> *From:* ipv6-ops-bounces+fred.l.templin=boeing@lists.cluenet.de[mailto:
> ipv6-ops-bounces+fred.l.templin=boeing@lists.cluenet.de] *On Behalf
> Of *Brzozowski, John Jason
> *Sent:* Wednesday, July 24, 2013 10:27 AM
> *To:* Tore Anderson
> *Cc:* ipv6-ops@lists.cluenet.de
> *Subject:* Re: Google's "unusual traffic" notification
>
> ** **
>
> We have seen this in the past from corporate desktop blocks used for
> ISATAP.  I found this to be strange.  Note I have not seen this for some
> time.
>
> ** **
>
> John
>

RE: Google's "unusual traffic" notification

[Templin, Fred L]

Hi John - are saying that you are suspecting an ISATAP problem?

Thanks - Fred

From: ipv6-ops-bounces+fred.l.templin=boeing@lists.cluenet.de 
[mailto:ipv6-ops-bounces+fred.l.templin=boeing@lists.cluenet.de] On Behalf 
Of Brzozowski, John Jason
Sent: Wednesday, July 24, 2013 10:27 AM
To: Tore Anderson
Cc: ipv6-ops@lists.cluenet.de
Subject: Re: Google's "unusual traffic" notification

We have seen this in the past from corporate desktop blocks used for ISATAP.  I 
found this to be strange.  Note I have not seen this for some time.

John

Re: Google's "unusual traffic" notification

[Brzozowski, John Jason]

We have seen this in the past from corporate desktop blocks used for
ISATAP.  I found this to be strange.  Note I have not seen this for some
time.

John

Re: Google's "unusual traffic" notification

[Tore Anderson]

* Gert Doering

> On Wed, Jul 24, 2013 at 10:05:16AM +0200, g...@switch.ch wrote:
>> A customer reported to us that many of his users have been getting the
>> "Our systems have detected unusual traffic from your computer network"
>> message from Google since last week.  Apparently, this is only
>> happening for IPv6, which makes me suspect that there is some kind of
>> glitch with Google's technique for detecting what they believe is
>> automated traffic.
> 
> ACK!  I've had this happen twice to our office network now, only on IPv6,
> and nothing in my logs or netflow data backs this...
> 
>> I filled in their form at
>> , but I'm not
>> particualry optimistic that this will help.
> 
> ... it helped (as in "the message is gone"), but we never heard anything
> back why it happened.  Which is a bit frustrating.  "You are evil but we're
> not willing to tell you what it is so you can't fix it".

AOL

Word quickly got around that disabling IPv6 in the browser or OS "fixed"
the problem. I doubt that many thought to turn it back on again after
(to be quite honest I'm not even sure *I* remembered to). :-(

Tore

Re: Google's "unusual traffic" notification

[Phil Mayers]

On 24/07/13 14:06, Gert Doering wrote:


... it helped (as in "the message is gone"), but we never heard anything
back why it happened.  Which is a bit frustrating.  "You are evil but we're
not willing to tell you what it is so you can't fix it".


Yeah, we've had that. In particular, their "blacklist resolver " 
algorithm was opaque IN THE EXTREME, and when queried, Google basically 
said "it's too complex for me to tell you".

Re: Google's "unusual traffic" notification

[Gert Doering]

Hi,

On Wed, Jul 24, 2013 at 10:05:16AM +0200, g...@switch.ch wrote:
> A customer reported to us that many of his users have been getting the
> "Our systems have detected unusual traffic from your computer network"
> message from Google since last week.  Apparently, this is only
> happening for IPv6, which makes me suspect that there is some kind of
> glitch with Google's technique for detecting what they believe is
> automated traffic.

ACK!  I've had this happen twice to our office network now, only on IPv6,
and nothing in my logs or netflow data backs this...

> I filled in their form at
> , but I'm not
> particualry optimistic that this will help.

... it helped (as in "the message is gone"), but we never heard anything
back why it happened.  Which is a bit frustrating.  "You are evil but we're
not willing to tell you what it is so you can't fix it".

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444USt-IdNr.: DE813185279

RE: EXTERNAL: Re: Google's "unusual traffic" notification

[Djachechi, Christian N]

 I got the same message from Google her in the US, but could not figure out 
what the issue was. Looked at my log and did not find anything unusual. I am 
dual stack.

CHRISTIAN DJACHECHI, PMP | SENIOR TECHNOLOGIST 
LOCKHEED MARTIN IS&GS CIVIL EITS-CMS/CITIC

-Original Message-
From: ipv6-ops-bounces+christian.n.djachechi=lmco@lists.cluenet.de 
[mailto:ipv6-ops-bounces+christian.n.djachechi=lmco@lists.cluenet.de] On 
Behalf Of g...@switch.ch
Sent: Wednesday, July 24, 2013 5:51 AM
To: Philipp Kern
Cc: ipv6-ops@lists.cluenet.de
Subject: EXTERNAL: Re: Google's "unusual traffic" notification

On Wed, 24 Jul 2013 10:27:20 +0200, Philipp Kern  said:

> On 2013-07-24 10:05, g...@switch.ch wrote:
>> A customer reported to us that many of his users have been getting 
>> the "Our systems have detected unusual traffic from your computer network"
>> message from Google since last week.  Apparently, this is only 
>> happening for IPv6, which makes me suspect that there is some kind of 
>> glitch with Google's technique for detecting what they believe is 
>> automated traffic.

> I presume it's per IP block, so it's not at all surprising that it 
> "happens only for IPv6". So are you sure that there's no automated 
> traffic happening? (Netflow should/might tell you that.)

This is not easy to find out without knowing what pattern to look for 
(threshold, block size) and which time period to check (depends on how long a 
block remains banned, which I don't know either).

>From past experience, I have developped a reflex to suspect that
something is not working as inteded when "it only happens with IPv6"
:/ That's why I try to find out if that could be the case here before pursuing 
other options.  Call it a hunch.

If anybody from Google is listening (Lorenzo?), maybe they could check for me 
if and why something in 2001:620:610::/48 is banned.

--
Alex

Re: Google's "unusual traffic" notification

[gall]

On Wed, 24 Jul 2013 10:27:20 +0200, Philipp Kern  said:

> On 2013-07-24 10:05, g...@switch.ch wrote:
>> A customer reported to us that many of his users have been getting the
>> "Our systems have detected unusual traffic from your computer network"
>> message from Google since last week.  Apparently, this is only
>> happening for IPv6, which makes me suspect that there is some kind of
>> glitch with Google's technique for detecting what they believe is
>> automated traffic.

> I presume it's per IP block, so it's not at all surprising that it 
> "happens only for IPv6". So are you sure that there's no automated 
> traffic happening? (Netflow should/might tell you that.)

This is not easy to find out without knowing what pattern to look for
(threshold, block size) and which time period to check (depends on how
long a block remains banned, which I don't know either).

>From past experience, I have developped a reflex to suspect that
something is not working as inteded when "it only happens with IPv6"
:/ That's why I try to find out if that could be the case here before
pursuing other options.  Call it a hunch.

If anybody from Google is listening (Lorenzo?), maybe they could check
for me if and why something in 2001:620:610::/48 is banned.

-- 
Alex

Re: Google's "unusual traffic" notification

[Philipp Kern]

On 2013-07-24 10:05, g...@switch.ch wrote:

A customer reported to us that many of his users have been getting the
"Our systems have detected unusual traffic from your computer network"
message from Google since last week.  Apparently, this is only
happening for IPv6, which makes me suspect that there is some kind of
glitch with Google's technique for detecting what they believe is
automated traffic.


I presume it's per IP block, so it's not at all surprising that it 
"happens only for IPv6". So are you sure that there's no automated 
traffic happening? (Netflow should/might tell you that.)


Kind regards
Philipp Kern