How to Deal With Unusual Traffic Detected Notifications

How to Deal With Unusual Traffic Detected NotificationsIf you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

  1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
  2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
  3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
  4. See if your IP address is blacklisted. You can use something like this to see if your IP address is known black lists.
  5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

How to Monitor Internet Activity Using a SPAN Port

Further reading

In a previous blog post I also looked at how you can use LANGuardian to track down the source of unusual traffic on your network.

Blog Post: How to deal with “Google has detected unusual traffic from your network” notifications

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Thanks to NetFort for the article.

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Apple is presently working on issues with malware (XCodeGhost) in their App Store. According to this blog post, over 50 iOS apps contained malicious code that made iPhones and iPads part of a botnet that stole potentially sensitive user information including:

  • Application name
  • Application version
  • OS version
  • Language
  • Country
  • Developer info
  • Application installation type
  • Device name
  • Device type

One of the quick ways to check for suspicious activity on your network is to look for HTTP or DNS traffic associated with:

Lately criminals have been targeting user of mobile devices more as people are less cautious on mobile devices than on desktops. This attack also highlights how security awareness is so important throughout the application development process. Everyone from the developer from the end user needs to be alert. In this incident developers were tricked into using counterfeit software to build their applications which created an ideal environment for malware to spread.

The BBC is reporting that the majority of people affected by this attack were in China. However, we would recommend that you check your own network for activity, especially if you allow mobile devices to connect to the corporate network.

A recommended approach to do this would be to use network packet capture. Tools which use NetFlow (or other flow source) are poor when it comes to web usage tracking. Packet capture allows you to look inside HTTP headers where interesting data like User-Agent can be found.

You can use a free tool like Wireshark or a commercial product like LANGuardian. Once installed you should setup a SPAN or mirror port to get a copy of network packets going in and out of your Internet connection. This is a passive monitoring approach so you wont need to install client or agent software on all of your network devices.

Deep packet inspection (DPI) based monitoring also works whether you have a proxy or not, just need to sniff the traffic at the correct location. Many organizations are not using proxies these days because they are a potential bottleneck, another inline device that can degrade performance or cause issues. If you do not have one and need visibility, you have the option of using a SPAN port or port mirror.

The following video shows how you can setup a SPAN or mirror port to monitor Internet or mobile device activity. This is an ideal way for detecting HTTP or DNS traffic associated with XCodeGhost. Even if you don’t have a problem today, you should get familiar with the concept so that you are prepared for the next big security issue.


Our support team is here to help if you have any questions about detecting XCodeGhost activity on your network. Contact information can be found at the very top of this blog post. Use the following procedure if you want to use LANGuardian for detecting XCodeGhost activity.

  • Enter websites in the find field which is located in the top right of the GUI
  • Select Web : Top Websites & URI
  • Search for or by using the website name filter.

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Please use the comment section below if you have any feedback or further information for detecting XCodeGhost activity.

Thanks to NetFort for the article.

Server Log Files Do Not Always Have the Answer

In today’s world, security information and event management (SIEM) systems are hot technology. Some people deploy them because of compliance needs, others because they need access to data to troubleshoot problems. SIEM systems themselves are useless without sources of data and most of them connect to server log files and other network devices. The problem is that there are limitations with server log files when it comes to usability analysis.

Server Log Files Do Not Always Have the AnswerA good example of this is Ransomware. It is a big issue at the moment and most IT managers want to detect and get rid of it as soon as possible. This can be challenging when you have hundreds if not thousands of users on your network.

Once Ransomware gets into a network it starts to encrypt files and every time it moves from a directory to another, it leaves an instruction note within a text file that leads to a website or TOR network site. If an event can be triggered when these files are created then it would be an excellent start. However, as you can see in this sample event, no IP address is shown for the problematic device that is spreading the malware. This makes it difficult to block the device from accessing the network.

Event Type: Success Audit
Event Source:  Security
Event Category:  Object Access
Event ID:     560
Date:  2/24/2015
Time:    12:40:46 PM
User:  WIN2003DATABASE\Administrator
Computer:  WIN2003DATABASE
Object Open:
Object Server:  
Object Type:  File
Object Name: C:\Downloads\test.txt
Handle ID:   5128
Operation ID:  {0,2612512}
Process ID:  4
Image File Name: WIN2003DATABASE$
Primary User Name:
Primary Domain:  WORKGROUP
Primary Logon ID:  (0x0,0x3E7)
Client User Name: Administrator
Client Domain: WIN2003DATABASE
Client Logon ID: (0x0,0x2708B4)
Privileges: –
Restricted Sid Count: 0
Access Mask: 0x100080

Some people suggest setting up SPAN or mirror ports which are excellent data sources. The problem is that you may need to work through millions of packets to find useful information. Make no mistake about it, packet analysis can reveal crucial detail like IP addresses as you can see in the image below.

Server Log Files Do Not Always Have the Answer

You could now use log data and information from your Windows log to build a complete picture. While this might be an option for a small network with a few clients, it does not scale well. The next option to consider is a system like LANGuardian which does the packet analysis for you. It analyses the packets as they come in from a SPAN or mirror port and it extracts the important metadata. Metadata would include things like IP addresses, filenames and actions.

Server Log Files Do Not Always Have the Answer

Server Log Files Do Not Always Have the Answer

Systems like the LANGuardian can then export this information via SYSLOG or other formats to other network management systems which can then take an action.

Server log files do not always have the answer but there are other sources of data on your network.

Thanks to NetFort for the article.

Tracking Web Activity by MAC Address

Tracking Web Activity by MAC AddressTracking web activity is nothing new. For many years IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving.

While some firewalls and proxy servers include reporting capabilities, most are not up to the job. These systems were designed to block or control access and reporting was just added on at a later date. Server log files do not always have the answer either. They are meant to provide server administrators with data about the behaviour of the server, not what users are doing on the Internet.

Some vendors are pitching flow type (NetFlow, IPFIX, etc…) tools to address the problem. The idea is that you get flow records from the edge of your network so you can see what IP address is connecting to what. However, as with server logs, NetFlow isn’t a web usage tracker. The main reason for this is that it does not look at HTTP headers where a lot of the important information is stored.

One of the best data sources for web tracking is packet capture. You can enable packet capturing with SPAN\mirror ports, packet brokers, TAPs or by using promiscuous mode on virtual platforms. The trick is to pull the relevant information and discard the rest so you don’t end up storing massive packet captures.

Relevant information includes things like MAC address, source IP, destination IP, time, website, URI and username. You only see the big picture when you have all of these variables in front of you.

Tracking Web Activity by MAC Address

Why track Internet activity?

  • Root out the source of Ransomware and other security threats. Track it down to specific users, IP addresses or MAC addresses
  • Maintain logs so that you can respond to third party requests. Finding the source of Bittorrent use would be a common requirement on open networks.
  • Find out why your Internet connection is slow. Employees watching HD movies is a frequent cause.
  • Out-of-band network forensics for troubleshooting or identifying odd network traffic.

Customer Use Case

End user is a very large airport in EMEA. Basic requirements and use case is tracking web activity, keeping a historical record of it for a period of one year, and because most of the users are just passing through (thousands of wireless users every hour!) the only way to uniquely identify each user or device is by MAC address.

Luckily for us, because the LANGuardian HTTP decoder captures and analyses wire data off a SPAN or mirror port it can easily track proxy or non-proxy traffic by IP or MAC address. The customer can also drill down to URI level when they need to investigate an incident. For them LANGuardian is an ideal solution for tracking BYOD activity as there are no modifications to the network and no agents, clients or logs required.

The MAC address variable is an important one when it comes to tracking devices on your network. Most networks use DHCP servers so you cannot rely on tracking activity based on IP addresses only. MAC addresses are unique per device so they will give you a reliable audit trail as to what is happening on your network.

Thanks to NetFort for the article.

Google Has Detected Unusual Traffic from Your Network

Google Has Detected Unusual Traffic from Your Network Malware on PCs and other devices can lead to all sorts of serious issues. From Ransomware to DDoS activity. Another symptom of malware that I come across a lot is when a Google displays the message “Google has detected unusual traffic from your network” when users search for something. The reason Google detects something is that they are probably receiving loads of automated searches from your IP addresses. Typically these searches are automated by Malware installed on one or more systems inside your network. Google Has Detected Unusual Traffic from Your Network Your options are very limited when this happens. One thing would be to ignore it but each time you want to search for something you will have to solve a CAPTCHA (a squiggly word with a box below it). The recommended approach would be to find out what is causing the problem in the first place. The Google notification will give you very little to go on so the main priority is to get visibility as to what is happening on your network. Forget about SNMP or NetFlow, you will need lots of detail to get to the root cause and neither of these protocols will do this. An ideal data source is a SPAN or mirror port. This will give you access to network packets or wire data as I hear some people describe it. A SPAN port will give you access to crucial information like IP addresses, host-names, web domain names, email addresses, application payloads, or MAC addresses. Once you have your SPAN port setup you just need to install LANGuardian and take a look at what is happening. Watch out for systems connecting to external IP addresses or hosts associated with lots of traffic associated with the Google domains. LANGuardian will also associate this network activity with usernames so you know who is causing the problem. See below for a recent quote from a customer. In this case they did not use LANGuardian to investigate a Google issue. However, it does goes to show how customers are really happy using LANGuardian to find out what is happening on their networks. “LANGuardian is a crucial part of our investigation tools within the network, gets right into what’s happening” James Barnes, ICT Team Leader, Ayrshire College, Scotland. Please don’t hesitate to get in contact with our support team if you are having an issue with a Google notification. You can also download a free trial of LANGuardian which can help you get to the root cause of any issues fast.


Thanks to NetFort for the article.

Magic Quadrant for Network Performance Monitoring and Diagnostics

Network professionals support an increasing number of technologies and services. With adoption of SDN and network function virtualization, troubleshooting becomes more complex. Identify the right NPMD tools to detect application issues, identify root causes and perform capacity planning.

Market Definition/Description

Network performance monitoring and diagnostics (NPMD) enable network professionals to understand the impact of network behavior on application and infrastructure performance, and conversely, via network instrumentation. Other users and use cases exist, especially because these tools provide insight into the quality of the end-user experience. The goal of NPMD products is not only to monitor network components to facilitate outage and degradation resolution, but also to identify performance optimization opportunities. This is conducted via diagnostics, analytics and debugging capabilities to complement additional monitoring of today’s complex IT environments. At an estimated $1.1 billion, the NPMD market is a fast-growing segment of the larger network management space ($1.9 billion in 2013), and overlaps slightly with aspects of the application performance monitoring (APM) space ($2.4 billion in 2013).

Magic Quadrant

Magic Quadrant for Network Performance Monitoring and Diagnostics

Vendor Strengths and Cautions- Highlights


Ixia was founded in 1997, specializing in network testing. Ixia entered the NPMD market through acquisition of Net Optics in 2013 and its Spyke monitoring product. The tool is aimed at small or midsize businesses (SMBs), although it can support gigabit and 10G environments. The Spyke tool has been subject to an end of life (EOL) announcement, with end of sale (EOS) beginning 31 October 2014, and EOL beginning 31 October 2017.

Given Ixia’s focus on the network packet broker (NPB) space, it can cover NPMD and NPB use cases, something only a few other vendors can claim. Ixia launched a new NPB platform, the Network Tool Optimizer (NTO) 7300 in 1H14, which provides large-scale chassis design and additional modules that help offload some NPMD capabilities. The goal of these modules is optimal use of the existing end-user NPMD tool. Modules include Ixia Packet Capture Module (PCM) with 14GB of triggered packet capture at 40GbE line rates and 48 ports of NPB, and the Ixia Application and Threat Intelligence (ATI) Processor, which provides extensive processing power in addition to 48 ports of NBP. The ATI Processor requires a subscription at an additional recurring cost. The new 7300 product and platform has no current Gartner-verified customer references. Fundamental VoIP, application visibility and end-user experience metrics are standard capabilities. While the tool provides packet inspection and application visibility, product updates have not been observed for some time and the road map remains unclear.

Ixia’s NPMD revenue is between $5 million and $10 million per year. Ixia did not respond to requests for supplemental information and/or to review the draft contents of this document. Gartner’s analysis for this vendor is therefore based on other credible sources, including previous vendor briefings and interactions, the vendor’s own marketing collateral, public information and discussions with more than 200 end users who either have evaluated or deployed each NPMD product.


  • Ixia’s ATI Processor provides visibility of, and rules to classify, traffic based on application types and performance of applications.
  • Ixia has significant R&D resources. Of the 1,800 staff, more than 800 are engineering- and R&D-focused.
  • Ixia’s market leadership in NPB allows it to leverage scalable hardware design with software capabilities to enable NPMD and additional troubleshooting needs by offloading some of these requirements from other more comprehensive NPMD tools.


  • With the EOS of the Spyke and Net Optics appTap platforms, Ixia appears to have discontinued investments in pure NPMD capabilities.
  • Since the launch of the NTO 7300 platform in early 2014, there has been limited traction due to existing NPB investments and high cost for the hardware buy-in.
  • Financial reporting restatements and filing delays, combined with the resignation of two senior corporate officers, may hinder overall strategic focus and vision.

JDSU (Network Instruments)

In 2014, we have witnessed the completion of JDSU’s acquisition of Network Instruments, its subsequent integration into JDSU’s Network and Service Enablement business segment, the recent release of updates to its NPMD offering, and announced plans to separate JDSU into two entities in 2015. While this action could provide additional efficiencies and focus in the future, the preceding business integration and sales enablement efforts are only now beginning to bear fruit and will have to shift once more in response to the coming changes. The Network Instruments unit has followed a well-established, vertically integrated technology development strategy, designing and manufacturing most of its product components and software. An OEM relationship with CA Technologies, which had Network Instruments providing its GigaStor products to CA customers, devolved into a referral relationship, but no meaningful challenges have been voiced by Gartner clients as a result of this. Two key parts of the NPMD solution have new product names (Observer Apex and Observer Management Server) and a new, modern UI that is a significant improvement. Network Instruments’ current NPMD solution set is now part of the Observer Performance Management Platform 17, and includes Observer Apex, Observer Analyzer, Observer Management Server, Observer GigaStor, Observer Probes and Observer Infrastructure (v.4.2).

JDSU’s (Network Instruments) NPMD revenue is between $51 million and $150 million per year.


  • Data- and process-level integration workflows are well-thought-out across the solution’s component products.
  • Network Instruments’ recent addition of a network packet broker product (Observer Matrix) to its offerings may appeal to small-scale enterprises looking for NPMD and NPB capabilities from the same vendor.
  • Packet capture and inspection capability (via GigaStor) is well-regarded by clients.


  • While significant business integration activities have not, to date, had a perceptible impact on support or development productivity, this process is ongoing and now part of a larger business separation action that could result in challenges in the near future.
  • The NPMD solution requires multiple components with differing user interfaces that are not consistent across products.
  • The solution is focused on physical appliances, with limited options beyond proprietary hardware.

To learn more, download the full report here

Thanks to Gartner for the article.