Google attacked my website! – Google Cloud Services DoS attack

Google attacked my website! – Google Cloud Services DoS attack

Share on social media

And it wasn’t the first time.

The second day in a row, michaeltyler.co.uk has been hit by a Denial of Service attack eminating from ‘Google Cloud Services‘.

Each time, in the early hours of the morning, I’m visited by the ‘Google Cloud Service‘ bot, which subsequently visits ever page on my site in quick succession.Google

It’s called an

Asymmetric attack

(In this this type of attack, Application Layer receives high-workload requests that consume server resources such as RAM.)

This places an unnaturally high demand on the servers CPU, slowing the server down, and if left, possibly blowing it up. To stop this happening, when the CPU gets warm, it automatically designates the source and shuts it down, putting the offending site on error.

Each time, I’ve been able to trace the source of the problem to Google Cloud Services.

Google Cloud Services caching sites for their owners, but it’s closing my site down, maliciously!

Tracking code

Usually when you sign on to some sort of BOT activity on your site, you’re asked to put a verification code on there, to confirm that it’s actually you requesting the traffic, not some rogue element wishing to take your website down.

You as the owner, actively sign-on to have your site crawled.

Technical details

Here’s the technical details of what’s going on, from the server, the the http://whatsmyip.org/ lookup.

Thursday 19th:

146.148.115.157 – – [19/Mar/2015:06:38:50 +0000] “HEAD /a-smashing-time/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.
15 Version/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:52 +0000] “HEAD /2014/07/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Versi
on/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:53 +0000] “HEAD /michael-tyler-photo-collage-filmstrip/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5
.1; U; en) Presto/2.2.15 Version/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:53 +0000] “HEAD /2014/08/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Versi
on/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:53 +0000] “HEAD /340-52-stopped-working-nvidia-windows-kernel/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windo
ws NT 5.1; U; en) Presto/2.2.15 Version/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:53 +0000] “HEAD /z-visa-in-the-uk/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2
.15 Version/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:53 +0000] “HEAD /2014/10/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Versi
on/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:54 +0000] “HEAD /new-school-taizhou-zhejiang-province/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.
1; U; en) Presto/2.2.15 Version/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:54 +0000] “HEAD /taizhou-bi-lingual-school/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.1; U; en) P
resto/2.2.15 Version/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:54 +0000] “HEAD /got-paid/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Vers
ion/10.10”
146.148.115.157 – – [19/Mar/2015:06:38:54 +0000] “HEAD /skipping-games/ HTTP/1.0” 302 – “https://www.michaeltyler.co.uk” “Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.1
5 Version/10.10”

NetRange: 146.148.0.0 – 146.148.127.255
CIDR: 146.148.0.0/17
NetName: GOOGLE-CLOUD
NetHandle: NET-146-148-0-0-1
Parent: NET146 (NET-146-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS15169
Organization: Google Inc. (GOOGL-2)
RegDate: 2014-03-26
Updated: 2014-03-26
Comment: *** The IP addresses under this netblock are in use by Google Cloud customers ***
Comment:
Comment: Please direct all abuse and legal complaints regarding these addresses to the GC Abuse desk ([email protected]). Complaints sent to any other POC will be ignored.
Ref: http://whois.arin.net/rest/net/NET-146-148-0-0-1

Friday 20th:

[2015-03-20 00:57:30]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:30]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:31]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:31]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:31]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:34]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:35]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:36]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:36]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:37]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:38]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:39]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:39]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:41]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:41]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:44]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:45]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:46]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:46]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php
[2015-03-20 00:57:49]: info: [usr/grp]: michaelt/michaelt cmd: /home/michaelt/public_html/index.php php: /usr/local/php54/bin/php

NetRange: 104.154.0.0 – 104.155.255.255
CIDR: 104.154.0.0/15
NetName: GOOGLE-CLOUD
NetHandle: NET-104-154-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS15169
Organization: Google Inc. (GOOGL-2)
RegDate: 2014-07-09
Updated: 2014-07-09
Comment: *** The IP addresses under this netblock are in use by Google Cloud customers ***
Comment:
Comment: Please direct all abuse and legal complaints regarding these addresses to the
Comment: GC Abuse desk ([email protected]). Complaints sent to
Comment: any other POC will be ignored.
Ref: http://whois.arin.net/rest/net/NET-104-154-0-0-1

As you can see, the request are being made in the same second in many cases, all emanating from the Google Cloud Services bot.

I’ve sent a letter of complaint to them ([email protected]).

Complaint

I’m making an complaint.

Your services are being used to attack my website – www.michaeltyler.co.uk.

This is the second time in as many days I have been attacked by Google Cloud Services.

I’d like these attacks to stop.

I’d also like Google to act in a responsible manner by not allowing RANDOM visits by Google Cloud Services bots without prior authorisation by the website owner.

I do not authorise or wish Google Cloud Services to visit or cache my domain.

I look forward to your action on this matter.

I’ve posted transcript of this message and other details of the case on my website and tweeted it.

Thanks,

Michael Tyler.

Upshot

There are a number of ways to protect your site against DoS attacks.

Running a WordPress site, there are WordPress Plugins that block abnormally large traffic flows.

For the moment, I’m having to block addresses manually, and make-do with the fact that my site is under attack, from Google of all people.

One thought on “Google attacked my website! – Google Cloud Services DoS attack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.