What Traffic Reports To Focus on if You Are Dealing With Google Unusual Traffic Notifications
Why does Google sometimes show unusual traffic messages?
Recently I worked with a number of network managers who downloaded our LANGuardian software to try and find the source of malware on their networks. The issue they faced was that clients were been presented with the message “Our systems have detected unusual traffic – possibly Malware from your computer network” when they tried to access Google services.
You then get a reCAPTCHA. To continue using Google, you have to solve the reCAPTCHA. It’s how Google knows you’re a human, not a robot. After you solve the reCAPTCHA, the message will go away and you can use Google again. The image below shows an example of what is displayed.
Google closely monitors what network traffic is directed at their infrastructure. If devices on your network seem to be sending automated traffic to Google, you might see “Our systems have detected unusual traffic from your computer network.” Google considers automated traffic to be:
- Searches from a robot, computer program, automated service, malware (true?) or search scraper
- Software that sends searches to Google to see how a website or webpage ranks on Google
The main reason behind all of this is that Google does not want any automated traffic which is designed to influence search results.
How can I monitor Google traffic on my network?
All Google traffic will flow in and out of your Internet gateways so this is where you need to capture traffic. Use a SPAN or mirror port to capture a copy of traffic going to and from your firewall. Make sure you capture the data inside your network so you can identify what client is sending unusual traffic.
The image below shows a typical setup if you want to detect any unusual traffic on your network. In this we use our LANGuardian traffic analysis tool to monitor traffic coming from a SPAN\Mirror port on our core switch. LANGuardian is deep-packet inspection software that monitors network and user activity. The core switch is configured to send a copy of all traffic going to and from the firewall to the monitoring port which is also known as a SPAN or mirror port.
What traffic reports do I need to look at?
Our LANGuardian product is available as a 30 day trial. This should give you enough time to get to the root of the problem. Once you have the trial installed there are two key reports to focus on. Use the search bar at the top of the LANGuardian GUI to search for these reports:
- Top Website Domains with Client IPs (Page Hits)
- Top Website Domains with Client IPs
In both cases enter Google into the Website Domain report filter on the left. The first report will show the top clients connecting to Google services based on the number of connections. The second report shows the top clients on your network connecting to Google services based on traffic volumes. Unusual traffic would be seen as a client which is establishing thousands of connections in a short time period like one hour. Unusual traffic volumes can be seen as multiple gigabyte levels to Google search or Google API services.
Click on the image below to access our online demo and see what the reports look like.
If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.