Google's "unusual traffic" notification

gall at gall at
Thu Jul 25 11:07:37 CEST 2013

On Thu, 25 Jul 2013 10:31:21 +0900, Erik Kline <ek at> said:

> On 24 July 2013 18:51,  <gall at> wrote:
>> On Wed, 24 Jul 2013 10:27:20 +0200, Philipp Kern <phil at> said:
>>> On 2013-07-24 10:05, gall at wrote:
>>>> A customer reported to us that many of his users have been getting the
>>>> "Our systems have detected unusual traffic from your computer network"
>>>> message from Google since last week.  Apparently, this is only
>>>> happening for IPv6, which makes me suspect that there is some kind of
>>>> glitch with Google's technique for detecting what they believe is
>>>> automated traffic.
>>> I presume it's per IP block, so it's not at all surprising that it
>>> "happens only for IPv6". So are you sure that there's no automated
>>> traffic happening? (Netflow should/might tell you that.)
>> This is not easy to find out without knowing what pattern to look for
>> (threshold, block size) and which time period to check (depends on how
>> long a block remains banned, which I don't know either).
>> >From past experience, I have developped a reflex to suspect that
>> something is not working as inteded when "it only happens with IPv6"
>> :/ That's why I try to find out if that could be the case here before
>> pursuing other options.  Call it a hunch.
>> If anybody from Google is listening (Lorenzo?), maybe they could check
>> for me if and why something in 2001:620:610::/48 is banned.

> FWIW, it seems this is basically working as intended.  (I'll follow up
> with you, unicast, for more detail.)

Thanks, much appreciated!  I feel like there are some general issues
here that are of interest to this list, though they are probably not
actually specific to IPv6.

People are obviously having a hard time to get information about why
they are being blocked. On
it says:

  If the problem persists, your network administrator should contact

So, how do I contact "you", Google?  This is simply a dead end.  I
have also already stated (and others have confirmed it) that
<> is a black hole.

On a more technical note, I'd like to know

  - how "abuse" is measured

  - the size of the address range that's being blocked due to abuse
    from a single address and how this is done for IPv4 and IPv6

  - how long it takes for a ban to expire

There really needs to be a way for us operators to get enough
information to understand what's going on.  It's cool to have people
respond on a list like this, but Erik doesn't scale ;)

In our case, there appears to have been abuse from 3 (three)
addresses, which has caused pain for a substantial number of users.
This looks excessive to me, but there is really no way for me to tell
with the little information I have.


More information about the ipv6-ops mailing list