Community discussions

MikroTik App
  4. RouterOS
  5. Scripting

How to find IP with Google automated queries

Post Reply
 
planetcaravan
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Aug 25, 2009 5:33 pm

How to find IP with Google automated queries

Sat Mar 22, 2014 6:25 pm

Hi there,

I've a WISP with 100+ users with 1 public IP address. I'm facing this problem https://support.google.com/websearch/answer/86640?hl=en.
How can I find which user IP is sending automated queries to Google?
I've set up a mangle rule but just can't find anything.

Can somebody help me?
Top
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: How to find IP with Google automated queries

Sat Mar 22, 2014 6:59 pm

You might want to set up some traffic monitoring. That is, log EVERY connection made to Google, and the private IP of it. Soon after, you'll see upon viewing the log, if a certain private IP is making too much requests in a too short time frame, or perhaps if the overall rate is becoming too much, and you need a new public IP to move some of your customers to.
Top
 
planetcaravan
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Aug 25, 2009 5:33 pm

Re: How to find IP with Google automated queries

Sat Mar 22, 2014 7:21 pm

What about log every NAS and watch which NAS is doing the biggest traffic?
Top
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: How to find IP with Google automated queries

Sat Mar 22, 2014 7:34 pm

What about log every NAS and watch which NAS is doing the biggest traffic?
That's kind'a what I meant, yeah.

Although if multiple devices (as in, multiple private IPs) connect through the same NAS, this wouldn't help you locate the exact client, but would still help you narrow your search.
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: How to find IP with Google automated queries

Sat Mar 22, 2014 8:41 pm

First I would check if your firewall/router etc. is compromised. Google is pretty good at differentiating normal NATed traffic from abuse. Nine times out of ten we find that there is compromised system behind this problem.
Top
 
planetcaravan
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Aug 25, 2009 5:33 pm

Re: How to find IP with Google automated queries

Sat Mar 22, 2014 8:45 pm

What did you mean with:
if your firewall/router etc. is compromised
?

I'm using all Mikrotik routers an all NAS and internet gateway. All is working fine
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: How to find IP with Google automated queries

Sat Mar 22, 2014 9:11 pm

The problem might be caused by a client being compromised but it can also be caused by problems on (e.g.) your firewall itself.

If you email me we can check your external IP for the most obvious problems. Please don't post the IP publicly.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12638
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: How to find IP with Google automated queries

Sat Mar 22, 2014 9:57 pm

The problem at 90% are caused from webproxy open on WAN,
some remote PC can navigate throught your webproxy.

Check if you have webproxy activated, and disable it, or add nat rule to block all unsolicited new connection from wan to webproxy port.


If I have solved your problem, please add Karma.
Top
 
User avatar
joshaven
Member
Member
Posts: 438
Joined: Fri May 06, 2011 1:50 am
Location: USA
Contact:
Contact joshaven

Re: How to find IP with Google automated queries

Sun Mar 23, 2014 3:25 am

It sounds like your going to need a little more help then you'll generally get from the user forum. Let me know if you would like some detailed help. You can get my contact info from my website.


Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk
Top
 
IslandWisper
just joined
Posts: 3
Joined: Sun Mar 16, 2014 5:42 pm

Re: How to find IP with Google automated queries

Sun Mar 23, 2014 4:15 am

What do your filters look like on the input chain? Do you have the web proxy running?
Top
 
planetcaravan
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Aug 25, 2009 5:33 pm

Re: How to find IP with Google automated queries

Sun Mar 23, 2014 5:17 pm

Hi there,

thanks for all your posts.
Here is what I have:
ip proxy print
enabled: no
Address list:
Code: Select all
/ip firewall address-list
add address=64.233.161.0/24 list=Google
add address=64.233.183.0/24 list=Google
add address=66.102.7.0/24 list=Google
add address=66.249.93.0/24 list=Google
add address=64.233.167.0/24 list=Google
add address=64.233.185.0/24 list=Google
add address=66.102.9.0/24 list=Google
add address=64.233.171.0/24 list=Google
add address=64.233.187.0/24 list=Google
add address=66.102.11.0/24 list=Google
add address=64.233.179.0/24 list=Google
add address=64.233.189.0/24 list=Google
add address=66.249.87.0/24 list=Google
add address=74.125.70.0/24 list=Google
add address=72.14.207.0/24 list=Google
add address=107.178.192.0/18 list=Google
add address=173.194.0.0/16 list=Google
add address=216.239.53.0/24 list=Google
add address=216.239.63.0/24 list=Google
add address=216.239.32.0/19 list=Google
add address=216.239.53.0/24 list=Google
add address=216.239.37.0/24 list=Google
And this mangle for each NAS:
/ip firewall mangle
add action=log chain=forward comment="NAS1 to Google" connection-state=new \
dst-address-list=Google log-prefix=Nas1-Google out-interface=ether2 \
src-address=172.16.128.0/24
So I have no proxy and I have set up a rule to count how many request are sent to Google IP prefixes.
I guess I have to put a rule for each client connects to my netowrk, so 100+ rules!
Top
Post Reply
  4. RouterOS
  5. Scripting