Google: "Unusual traffic from your computer network"

  • I often happen to receive the message: "Unusual traffic from your computer network" while googling in Russian speaking countries.

    Google explains this with:

    You may see "Our systems have detected unusual traffic from your computer network" if Google detects that a computer or phone on your network may be sending automated traffic to Google.

    Automated traffic includes:

    Sending searches from a robot, computer program, automated service, or search scraper Using software that sends searches to Google to see how a website or webpage ranks on Google

    Most of the times, Google simply stops working and I have to use Bing.

    Despite what Google says, I still don't get what is the misbehaviour here? What is the problem with privacy/security, if any?
    Why in some regions of Eastern Europe does this happen quite regularly and, most of all, why does it affect all users of the network and not only those sending the unauthorised traffic.

    Is "automated traffic" an understatement for something trying to flood their servers ?

    Are you performing impossible trips? Like accessing Google with your actual IP and then without closing your browser connecting to a VPN service which provides an IP registered far away from your actual location? - This happens to me all the time when I use VPN.

    I got this message in New Zealand (we're quite far from Russia down here) while googling information on Wordpress security... it seems likely the message was triggered by the particular searches I made.

  • While what they look for isn't disclosed, we do know how malware abuses Google searches -- attackers will search for sites that display specific signs of vulnerabilities and use that target selection. So the more you look like you're doing that in an automated fashion, the more likely you are to get blocked.

    So searching for "facebook" and "michael phelps" and "ebola prevention" is probably less likely to attract attention, while searching for "plugins/cart.php" or "powered by Wordpress" is a bit more suspicious. Other minor factors, like ignoring cookies and sending at a predictable rate might make you look even more like a script. And most importantly, we know that they watch your traffic rate. Lots of searches in a small time is the most reliable way to get yourself flagged.

    That's not to say that Google looks for these things. If they were to say what they were looking for then attackers would take measures to mask their behavior.

    Most importantly, though: just because you aren't doing anything suspicious in your browser doesn't mean that your computer isn't doing it in an automated fashion in a way you can't see. Malware doesn't need your browser to make these queries. Make sure that nothing on your network is sending traffic you don't know about. Do a packet capture at your gateway to be sure.

  • Just a theory:

    If you have a dynamic or shared ip address it could be that somebody who had your ip address before was abusing his internet connection to do some automatic searching.


    • I know of some mobile internet providers (3g, 4g) who put many customers behind the same NAT ip-address. One misbehaving guy is enough to screw up things for all the other users sharing the same external ip-address.

    • Regular DSL providers often give you a dynamic IP address. As stated above, you could end up with a "dirty" ip-address.

    Another theory: Check your computer for malware, maybe your computer is abused as a search robot through some malware.

    Not a bad idea, a packet capture may also show interesting traffic.

    How are you connecting to the network? A shared connection over a public wifi hotspot?

    the IP is for sure not static, so NAT or anyway dinamyc. I tend to exclude malware, because it is a recurring phenomenon in some regions/providers not only for me.

    I have experienced this when using automated tools that abuse googles search functionality. For example page crawlers running through google searches at a high rate.

  • We had a user using a plugin in firefox called "trackmenot" that was sending a bunch of data to google every 6 seconds. Disabling this or reducing the frequency of the connections solved the problem.

    To initially track down the user I NAT'ed each of our internal subnets over different external IP's. After someone reported the error again we moved the person reporting the problem into an additional quarantine group of internal source IP's with a new externally NAT'ed IP. We kept adding/removing users from this group until we were down to 1 user. We have 100+ users and this process took 2-3 days.

    I hope this helps someone.

  • I sometimes hit this when googling technical matters fast (manually), and only looking for search results for a second or two (without following the links).

    This happens regardless of OS I'm currently on (Windows or Linux), and without any other machines behind my NAT (without dynamic IP changes in a while).

    There's no malware, browser plugins, or scraping software installed.

    And yes, I'm in Russia :)

    So, shortly, it very much seems, Google has its bot filters tightened up for E. Europe, and merely typing (and reading) fast may get you temporarily banned :)

    ..and here we go again; cheers from Mother Russia :)

  • I experience the same issues if I tunnel my web traffic through a proxy. I'm not sure why this is; but I'm guessing that these proxies you're using are publicly available, as most of mine are.

    If this is the case, then odds are there are hundreds of users making near simultaneous requests through the same proxy server as you. I'm hesitant to say that this alone would be the reason, since larger offices/businesses could probably match this traffic. Even if this isn't the case, you'll still be slapped on the wrist for another user's malicious actions, a few of which Google made mention of.

    If you're at all familiar with proxy servers, then you'll know that the only IP address Google knows about is that of the proxy server. Each client's IP address is known by the proxy server, but not by Google. In this fashion, the traffic sent from Google is forwarded from the proxy server to the client, and a meager means of anonymity can be achieved. For this reason, Google can only reprimand the proxy server, not the individual clients.

    As well, I see some other users have mentioned that the traffic might be originating from your computer. This is highly unlikely. This is evidenced by the fact that you don't run into these warnings when you aren't accessing Google through a proxy.

    Just to clarify. I am not using a proxy. It is the ordinary access I get when I travel/live in Eastern Europe. A proxy server can be used for hiding yourself, so it is reasonable that some suspicions activity can happen behind. In my case all users of a given provider are taxed, because some of them are possibly bad and this happens with all providers of a given "bad" region.

    In this case, a VPN would likely be the best route. There are numerous ones available for under $5. Saving your routers logs wouldn't hurt either. Filter traffic for (or what ever the appropriate domain would be) and look for anything suspicious. Likely this was done as a result of previous activity and you were indeed given a "dirty" ip. Your ISP body should be able to assign you a different public facing IP.

  • The reason this happens is due to the algorithm used to determine the page ranking of the sites. In the instance that many google based tracking cookies seems to come from one ip address, as is the case in a NATted situation, it becomes difficult to attribute the searches to the one user. You could, conceivably be trying to deliberately poison the collection by randomly generating sequences to hit upon a collision of some sort, which is why this unusual traffic page is spawned. Also, they probably use several metrics to determine if that one ip address is meant to be on that list. So an automated search, large amounts of bot clicking etc, raises the level till it reaches the threshold. This is a pretty tricky situation, because sink holing an entire range could result in a large group of people unable to reach their content.

    Page ranking has nothing to do with it.

    To determine the appropriate ranking, you need to determine the legitimacy of the user. With that in mind, any ip address that emits users with inappropriate characteristics results in that ip address being flagged with unusual traffic.

    The real reason why this happens is because search costs server resources (and thus money) and Google doesn't want bots using it because bots (as opposed to users) don't see nor care about ads.

    Yes, and to determine those characteristics, there needs to be some sampling of the behavioural markers from that ip address.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM