How to Deal With Unusual Traffic Detected Notifications

How to Deal With Unusual Traffic Detected NotificationsIf you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

  1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
  2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
  3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
  4. See if your IP address is blacklisted. You can use something like this http://www.ipvoid.com/ to see if your IP address is known black lists.
  5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

How to Monitor Internet Activity Using a SPAN Port

Further reading

In a previous blog post I also looked at how you can use LANGuardian to track down the source of unusual traffic on your network.

Blog Post: How to deal with “Google has detected unusual traffic from your network” notifications

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Thanks to NetFort for the article.

Advertisements

Wire Data – More Flexible Than Log Data?

Wire Data – More Flexible Than Log Data?

Just after finishing a pretty long road trip around the US, New York, New Jersey, Washington DC, Chicago, Austin and San Francisco. Travelling around the US this time of year can be very ‘challenging’ for sure, some airports can handle the snow and some like Newark do an OK job. Although sitting in an airplane at the gate for over 3 hours in Newark Saturday night, waiting for my flight to Shannon to leave and one of the pilots to arrive was not an act of God. Imagine he was the one guy who got caught in traffic, all the other people on the flight knew bad weather was on the way and adjusted travel plans accordingly!

Anyway, it was a great trip, I met some partners and customers, really enjoyed and appreciate their time and feedback. One interesting term that was mentioned a lot was ‘wire data analytics’. Why? What are the use cases? How does ‘wire data’ add value?

A lot of the use cases seem to be security, data related. Comes down to the detail one can get from looking inside the packets and is not available from flow technologies like NetFlow. Looking inside the packet, deep packet inspection does not always have to be about timings, latency QoE, etc. It can help provide the proof, that final piece of detail to really understand what happened, the domain name and URI for example and amount of data uploaded or downloaded. Critical pieces of information for security forensics.

Wire Data – More Flexible Than Log Data?

For example, Ransomware is still very common. One user in a company got hit by cryptolocker, had no backup and were considering paying the ransom. These bad guys are targeting the file shares, creating files with strange file names, like ‘howdecrypt.txt’, encrypting, etc. Boy, do you miss your data when you can’t access it, like when your Windows laptop gets corrupted and will not boot, you will try anything to get your data back.

Wire Data – More Flexible Than Log Data?

So, who does wire data help with Ransomware for example? Well, if you can capture the right level of detail ‘off the wire’, like the file name, the user name, the source IP address, the action (say ‘create file’) and the server IP address. Then one can alert or block the source IP and prevent further infection. Also use the information to see if other hosts or servers have been infected. Comparing wire data and log data in this case is also very interesting.

Log data can also be very useful when troubleshooting, but crucially in this particular use case, if logging is enabled on the Windows file share server, the logged detail does not include the source or client IP address. It includes an awful lot of other detail, sometimes adding huge overhead to the server, but not the source IP, which is usually pretty useful!

But this also demonstrates the flexibility of ‘wire data’, you can of course capture it at any point across the network, SPAN multiple VLANS for example. Also, if you have a SMB dissector available (as in our NetFort LANGuardian) and it is intelligent and fast enough, the dissector can decide which data to identify, extract, and keep.

You do not want to keep every single packet because then you will have a Big Data problem and you will not be able to see anything useful unless you are an expert. In the case above you can decide to extract and store the client IP address, easier than going back to Microsoft and telling to also log this in a future version!

Wire data is not dependent on the format or content of the log and can be a very flexible and independent option.

Thanks to NetFort for the article. 

Google Has Detected Unusual Traffic from Your Network

Google Has Detected Unusual Traffic from Your Network Malware on PCs and other devices can lead to all sorts of serious issues. From Ransomware to DDoS activity. Another symptom of malware that I come across a lot is when a Google displays the message “Google has detected unusual traffic from your network” when users search for something. The reason Google detects something is that they are probably receiving loads of automated searches from your IP addresses. Typically these searches are automated by Malware installed on one or more systems inside your network. Google Has Detected Unusual Traffic from Your Network Your options are very limited when this happens. One thing would be to ignore it but each time you want to search for something you will have to solve a CAPTCHA (a squiggly word with a box below it). The recommended approach would be to find out what is causing the problem in the first place. The Google notification will give you very little to go on so the main priority is to get visibility as to what is happening on your network. Forget about SNMP or NetFlow, you will need lots of detail to get to the root cause and neither of these protocols will do this. An ideal data source is a SPAN or mirror port. This will give you access to network packets or wire data as I hear some people describe it. A SPAN port will give you access to crucial information like IP addresses, host-names, web domain names, email addresses, application payloads, or MAC addresses. Once you have your SPAN port setup you just need to install LANGuardian and take a look at what is happening. Watch out for systems connecting to external IP addresses or hosts associated with lots of traffic associated with the Google domains. LANGuardian will also associate this network activity with usernames so you know who is causing the problem. See below for a recent quote from a customer. In this case they did not use LANGuardian to investigate a Google issue. However, it does goes to show how customers are really happy using LANGuardian to find out what is happening on their networks. “LANGuardian is a crucial part of our investigation tools within the network, gets right into what’s happening” James Barnes, ICT Team Leader, Ayrshire College, Scotland. Please don’t hesitate to get in contact with our support team if you are having an issue with a Google notification. You can also download a free trial of LANGuardian which can help you get to the root cause of any issues fast.

Download_Free_Trial_of_LANGuardian

Thanks to NetFort for the article.