Question: Google 'Unusual Traffic' Block/Captcha - Tracing Root Cause

Add your own question »

Still looking for the right answer? Log in or Register to ask a question.
  • Like
    0Likes
  • Unlike
    0Likes

Hi,
We've just had another incident of Google showing a Captcha page to some of our users who are using a particular outbound source NAT address.

https://support.google.com/websearch/answer/86640?hl=en

The issue actually cleared in about 10 minutes this time, but last time it was most of the day.
I've filled in the Google webform to explain the issue but not sure if that's what cleared it.

I just wondered if anyone else has experienced the same issue, and if (and how) you managed to find the source host responsible.

Google suggests that it's users running automated queries which cause the temporary block but I can't separate those from normal Google traffic. :(

Thanks all.
Ste :)

Answers

0
+1 -1

How many users do you have and behind how many NAT addresses? I imagine the block is to stop people screen-scraping search results instead of using their APIs.

0
+1 -1

Hi James,

Yep, that's exactly why Google block this traffic.

In answer to your question, we have LOTS of users behind a FEW NAT addresses - something we have in common with a lot of institutions. Google occasionally appears to pick on us to block traffic and it affects all the users using that outside NATd address.

I have a feeling it's one 'type' of traffic that causes the automated block to kick in so I just wondered if anyone else had been able to identify the real source IP that caused the issue and perhaps what it is they're doing?

All the best,
Stephen

0
+1 -1

How long does a user's session with a particular NAT address last? We've encountered problems with Google services where users appear to be rapidly hoping between IP addresses.

With Google now pushing almost all traffic over HTTPs it may be increasingly difficult to trace the issue if it actually is a client system doing something they shouldn't.

0
+1 -1

Hi James,
On our configuration, a specific source IP address should always get NATd to the same outside public address.
I'm sure it's some sort of unusual client behaviour causing it, otherwise it would affect so many more institutions & businesses.
I have found other examples of organisations getting the same symptom, but none have been able to identify exactly why and Google are certainly not very forthcoiming.
Cheers,
Stephen
ps. we've not experienced the block since July so maybe Google have refined their detection filters?