Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

21 September 2008

Google Believes I'm a Virus

I received the following Error Message today when I tried to access Google homepage.

But what makes Google believe that my request is coming from a Virus or Spyware application? Has any of you received a similar message too?

Ok, according to Google Help Center, "This message appears when Google detects automated querying coming from your IP Address, thus causing a quick spike in traffic on http://www.google.com".

But wait a minute, this can also happen if you are behind a NAT'ing device, and another device in your network is sending automated queries to Google.
It's likely that a user or a computer in your network is running automated querying. Sending automated queries of any sort to Google is against our Terms of Service. This includes, among other things, the following activities:
* Using any software that sends queries to Google to determine how a website or webpage ranks on Google for various queries
* 'Meta-searching' Google
* Performing 'offline' searches on Google

Now, what's the next step? If you have suitable privileges on that network, I think you have to deploy or gather the logs from existing IDS/IPS Sensors and Traffic Anomaly Detection Systems. Such softwares can detect Traffic Peaks and other Traffic Patterns that violates the normal Behavior on your Network, and can then detect the offending host(s). Another solution for those who do not own an IPS is to gather the traffic logs from their Gateway Firewall or Router and analyze those logs manually.

The problem here is that there is no IPS installed, or may be there is one but I have no access to it. So I am forced to do it the hard way, to analyze the firewall logs. As far as I can see the nember of sessions from the internal network to Google IP Address are not that huge or even big enough to be suspected by their system. So it seems that it's as they said in their Help Center. May be it's something in the content of the traffic and not it's volume. May be they get alerted when they see someone using their search engine for example and the User-Agent parameter in his/her get request in not equal to any web browser they are aware of.

Anyway, is seems that with the tools available to me now, it is really hard to know the real reason for Google's error message, and how to detect the violating host and stop it if possible. So you may consider this post as some kind of rant or chit-chat.

Error Message URL: http://sorry.google.com/sorry/Captcha?continue=http://www.google.com

Tags: , ,