Google's "unusual traffic" notification

gall at switch.ch gall at switch.ch
Thu Jul 25 11:07:37 CEST 2013 

On Thu, 25 Jul 2013 10:31:21 +0900, Erik Kline <ek at google.com> said:

> On 24 July 2013 18:51,  <gall at switch.ch> wrote:
>> On Wed, 24 Jul 2013 10:27:20 +0200, Philipp Kern <phil at philkern.de> said:
>> 
>>> On 2013-07-24 10:05, gall at switch.ch wrote:
>>>> A customer reported to us that many of his users have been getting the
>>>> "Our systems have detected unusual traffic from your computer network"
>>>> message from Google since last week.  Apparently, this is only
>>>> happening for IPv6, which makes me suspect that there is some kind of
>>>> glitch with Google's technique for detecting what they believe is
>>>> automated traffic.
>> 
>>> I presume it's per IP block, so it's not at all surprising that it
>>> "happens only for IPv6". So are you sure that there's no automated
>>> traffic happening? (Netflow should/might tell you that.)
>> 
>> This is not easy to find out without knowing what pattern to look for
>> (threshold, block size) and which time period to check (depends on how
>> long a block remains banned, which I don't know either).
>> 
>> >From past experience, I have developped a reflex to suspect that
>> something is not working as inteded when "it only happens with IPv6"
>> :/ That's why I try to find out if that could be the case here before
>> pursuing other options.  Call it a hunch.
>> 
>> If anybody from Google is listening (Lorenzo?), maybe they could check
>> for me if and why something in 2001:620:610::/48 is banned.

> FWIW, it seems this is basically working as intended.  (I'll follow up
> with you, unicast, for more detail.)

Thanks, much appreciated!  I feel like there are some general issues
here that are of interest to this list, though they are probably not
actually specific to IPv6.

People are obviously having a hard time to get information about why
they are being blocked. On
<https://support.google.com/websearch/answer/86640?hl=en#ts=3088265,3087987>,
it says:

  If the problem persists, your network administrator should contact
  us

So, how do I contact "you", Google?  This is simply a dead end.  I
have also already stated (and others have confirmed it) that
<https://support.google.com/websearch/contact/ban> is a black hole.

On a more technical note, I'd like to know

  - how "abuse" is measured

  - the size of the address range that's being blocked due to abuse
    from a single address and how this is done for IPv4 and IPv6

  - how long it takes for a ban to expire

There really needs to be a way for us operators to get enough
information to understand what's going on.  It's cool to have people
respond on a list like this, but Erik doesn't scale ;)

In our case, there appears to have been abuse from 3 (three)
addresses, which has caused pain for a substantial number of users.
This looks excessive to me, but there is really no way for me to tell
with the little information I have.

-- 
Alex

More information about the ipv6-ops mailing list