How to Deal With Unusual Traffic Detected Notifications

If you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
4. See if your IP address is blacklisted. You can use something like this http://www.ipvoid.com/ to see if your IP address is known black lists.
5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

Further reading

In a previous blog post I also looked at how you can use LANGuardian to track down the source of unusual traffic on your network.

Blog Post: How to deal with “Google has detected unusual traffic from your network” notifications

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Thanks to NetFort for the article.

Cyber Attacks – Businesses Held for Ransom in 2015

Really nice crisp clear morning here in Galway, bit chilly though. Before I dropped my 14 year old son to school, I tuned into an Irish station, NewsTalk and caught most of a very interesting conversation between a member of a large Irish law firm, William Fry and the presenter.

They were discussing the increasing threat of cyber-attack for Irish businesses. They spoke about the importance of detection as 43% of business are not even aware that they are being attacked and the hackers can have access for weeks/months before they are detected.

They also indicated that 4 out of 5 businesses have been impacted, hard to believe but if this also includes recent Ransomware attacks for example, based on feedback from NetFort customers I would believe it. Maybe also as large enterprise are spending more on security and have ‘tightened up’ the hacker has moved on, redefined the ‘low hanging fruit’, it is now the small to medium enterprise (SME)?

It reminds me of a discussion I had last year with a network admin of a college in Chicago. ‘John, we are entering an era where continuous monitoring, visibility is becoming more and more critical because there is no way all the inline active systems can protect us internally and externally these days’.

I am biased but I think he is absolutely correct. Visibility, actionable intelligence, data normal users can read and interpret and act on is critical.

Visibility not just at the edge though, also at the core, the internal network because it is critical to be able to see and detect suspicious activity or network misuse here also. It is also important to track this, to keep a record of it to help troubleshoot, to provide proof for management, auditors and even users.

I was discussing some recent LANGuardian use cases with an adviser in the US this week and mentioned that we are hearing the term ‘network misuse’ a lot more these days and I was not sure why. Maybe organizations are becoming more concerned about data theft?

His explanation makes sense, it was all about the attack surface for him, if users are misusing the network, accessing sites and applications that are non-critical or inappropriate and infected, it is increasing the attack surface, the security risk and will result in pain for everybody.

In defence of Irish business though, a lot of the systems out there in this space are only suitable for large enterprises, too expensive and complex to manage, tune and get real actionable intelligence. The SMEs all over the world, not just Ireland cannot afford them in terms of time, people and money.

Thanks to NetFort for the article.

The Three Primary Use Cases for Network Forensics

When it comes to network forensics we are primarily dealing with three use cases.

The first is operational intelligence. This tends to manifest in metrics and visibility into availability and performance. Management personnel typically require high level reporting whereas network and engineering teams require drill down capabilities to get root cause answers quickly. Network forensics is crucial for anyone who needs to drive down mean time to repair or mean time to identify. Organizations such as media companies, ecommerce businesses, and anyone with an online presence where downtime is money use forensics tools on a daily basis.

The second use case is security and compliance. Network forensics can be used to identify traffic patterns that look malicious, identify DDoS vectors, attempted breaches, and malware. Real-time and historical reports with the ability to associate network activity with devices or users are the foundations of most compliance standards. Organizations of all sizes and in all sectors need to keep their networks secure which means forensic solutions are a must have.

The third use case is customer insights. This is business performance analysis, which includes real-time revenue monitoring, event impact and correlations. The customer in this instance is typically on-line and requires a stable and fast connection to applications, games, or services. Gaming, media and entertainment, hi-tech are all areas where this is seen as a requirement rather than a nice to have.

Thanks to NetFort for the article.

Wire Data – More Flexible Than Log Data?

Just after finishing a pretty long road trip around the US, New York, New Jersey, Washington DC, Chicago, Austin and San Francisco. Travelling around the US this time of year can be very ‘challenging’ for sure, some airports can handle the snow and some like Newark do an OK job. Although sitting in an airplane at the gate for over 3 hours in Newark Saturday night, waiting for my flight to Shannon to leave and one of the pilots to arrive was not an act of God. Imagine he was the one guy who got caught in traffic, all the other people on the flight knew bad weather was on the way and adjusted travel plans accordingly!

Anyway, it was a great trip, I met some partners and customers, really enjoyed and appreciate their time and feedback. One interesting term that was mentioned a lot was ‘wire data analytics’. Why? What are the use cases? How does ‘wire data’ add value?

A lot of the use cases seem to be security, data related. Comes down to the detail one can get from looking inside the packets and is not available from flow technologies like NetFlow. Looking inside the packet, deep packet inspection does not always have to be about timings, latency QoE, etc. It can help provide the proof, that final piece of detail to really understand what happened, the domain name and URI for example and amount of data uploaded or downloaded. Critical pieces of information for security forensics.

For example, Ransomware is still very common. One user in a company got hit by cryptolocker, had no backup and were considering paying the ransom. These bad guys are targeting the file shares, creating files with strange file names, like ‘howdecrypt.txt’, encrypting, etc. Boy, do you miss your data when you can’t access it, like when your Windows laptop gets corrupted and will not boot, you will try anything to get your data back.

So, who does wire data help with Ransomware for example? Well, if you can capture the right level of detail ‘off the wire’, like the file name, the user name, the source IP address, the action (say ‘create file’) and the server IP address. Then one can alert or block the source IP and prevent further infection. Also use the information to see if other hosts or servers have been infected. Comparing wire data and log data in this case is also very interesting.

Log data can also be very useful when troubleshooting, but crucially in this particular use case, if logging is enabled on the Windows file share server, the logged detail does not include the source or client IP address. It includes an awful lot of other detail, sometimes adding huge overhead to the server, but not the source IP, which is usually pretty useful!

But this also demonstrates the flexibility of ‘wire data’, you can of course capture it at any point across the network, SPAN multiple VLANS for example. Also, if you have a SMB dissector available (as in our NetFort LANGuardian) and it is intelligent and fast enough, the dissector can decide which data to identify, extract, and keep.

You do not want to keep every single packet because then you will have a Big Data problem and you will not be able to see anything useful unless you are an expert. In the case above you can decide to extract and store the client IP address, easier than going back to Microsoft and telling to also log this in a future version!

Wire data is not dependent on the format or content of the log and can be a very flexible and independent option.

Thanks to NetFort for the article. 

Google Has Detected Unusual Traffic from Your Network

Malware on PCs and other devices can lead to all sorts of serious issues. From Ransomware to DDoS activity. Another symptom of malware that I come across a lot is when a Google displays the message “Google has detected unusual traffic from your network” when users search for something. The reason Google detects something is that they are probably receiving loads of automated searches from your IP addresses. Typically these searches are automated by Malware installed on one or more systems inside your network. Your options are very limited when this happens. One thing would be to ignore it but each time you want to search for something you will have to solve a CAPTCHA (a squiggly word with a box below it). The recommended approach would be to find out what is causing the problem in the first place. The Google notification will give you very little to go on so the main priority is to get visibility as to what is happening on your network. Forget about SNMP or NetFlow, you will need lots of detail to get to the root cause and neither of these protocols will do this. An ideal data source is a SPAN or mirror port. This will give you access to network packets or wire data as I hear some people describe it. A SPAN port will give you access to crucial information like IP addresses, host-names, web domain names, email addresses, application payloads, or MAC addresses. Once you have your SPAN port setup you just need to install LANGuardian and take a look at what is happening. Watch out for systems connecting to external IP addresses or hosts associated with lots of traffic associated with the Google domains. LANGuardian will also associate this network activity with usernames so you know who is causing the problem. See below for a recent quote from a customer. In this case they did not use LANGuardian to investigate a Google issue. However, it does goes to show how customers are really happy using LANGuardian to find out what is happening on their networks. “LANGuardian is a crucial part of our investigation tools within the network, gets right into what’s happening” James Barnes, ICT Team Leader, Ayrshire College, Scotland. Please don’t hesitate to get in contact with our support team if you are having an issue with a Google notification. You can also download a free trial of LANGuardian which can help you get to the root cause of any issues fast.

Thanks to NetFort for the article.