Google owned site blocked by snort because of nmap scans??



  • I have noticed in the last few months that Snort is constantly blocking anything that comes from Google (either google directly, youtube or gmail).

    For example, I can be watching a video on youtube, then suddenly the playback stops and the site stops responding.  Sure thing snort has blocked the website with the alert

    172.217.0.174  ET SCAN NMAP -sA (1) - 03/19/16-23:04:45
    

    Another prime example is that I open my browser who's homepage is set to google.com, and the homepage never loads.  Again, a 172.x.x.x site has been blocked because of a nmap scan.

    What are those?  Before I never used to get this (or very rarely).  Now I get those almost every time I use a google owned site.



  • You have a few options to choose from:
    add the blocked IP addresses to a suppress list and track them individually.
    Or if you are not interested in being aware of any more intrusions of that type from any source you can add the SID to the suppress list.
    Or white list the host(s) and ignore all threats from them.

    Otherwise, complain to the owner of the service about persistent threats coming from their hosts and ask them in writing to stop port scanning your network. In some countries port scanning without consent is illegal.

    Alternatively, treat Google like any other detected intruder and monitor and control their access to your network properly. I get the impression that you trust Google which is probably why you are surprised (two question marks) that they are port scanning you.



  • vbentley, thanks for your reply.

    add the blocked IP addresses to a suppress list and track them individually.

    I may do that, since the other options are not desirable from my POV.

    Or if you are not interested in being aware of any more intrusions of that type from any source you can add the SID to the suppress list.

    No!  Doing portscans is suspicious at best to me and hosts doing this should be blocked at the perimeter.

    Or white list the host(s) and ignore all threats from them.

    I dont want to treat google as such, in the light of all the allegations of mass surveillance and data collection.  Its already well known they collect ludicrous amounts of useless data for mass control from their product users (android, chrome, google search engine, gmail, etc), seeing them try to penetrate networks without permissions seems plausible and rather predictable.  Next what will it be?  I dont want to know…

    treat Google like any other detected intruder and monitor and control their access to your network properly. I get the impression that you trust Google which is probably why you are surprised (two question marks) that they are port scanning you.

    Yes, you are right.  I used to trust them since they are the most used search engine in the world, and have a lot of visibility/exposure.  I thought if they did something questionable or wrong, they would get caught quick, but with the Governments using them as their programs spearhead, I lost faith completely.  Also with all the android products floating around, how not to trust them?  For whats its worth, I myself have an android phone (difficult and personally conflicting on this one!!) and a few other people using android based devices on my network.  I segregated them to a separate interface in pfsense, and made sure there is NO possible connection to my LAN.  Other than that, I am right now in the middle ground where I have to act on google's suspicious behavior, and then act accordingly.

    I see portscans every day, several times a day I must say.  Each time, something stops working, let it be google.com, gmail, youtube, or all of them..  Its irritating since I use gmail as my personal email, and youtube like everybody else on this planet (or pretty much).  Why?  because there's pretty much nothing else out there to replace these products.

    Perhaps the best course of action here would be to somehow

    • Block everything GOING TO google's IP's from my network? + Block portscans attemps (but not ban the IP, so the service is accessible thereafter)

      Block everything from google, then my android devices will malfunction, youtube and gmail are lost, and duckduckgo will replace google as my search engine (which it already does)



  • Google doesn't trust their own internal networks so why should anybody else?
    https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/44860.pdf

    I have recently been taking on a lot of what this article covers. IMO, you cannot trust your own networks anymore. Javascript and other code that executes in a browser has made the concept of a trusted LAN ridiculous.

    I used to have just five VLANs, now I have 30 and I am creating more as I need them. I have found it far safer to separate everything into service based VLANs so that I can filter and control traffic flows between them. I have separate VLANs for DNS resolvers, for printers, for VOIP handsets, if it can be identified in anyway as being different or special it gets it's own VLAN even if there is only one host in that network.



  • 30 VLAN's??? I can barely manage 2 subnets on 2 separate physical interfaces!!! Truth be told, I am pretty new to the firewalling thing, and up to now, I was using pfsense';s default FW rulesets..

    I agree with you about segregation.  This is why I have created another interface where I put my wifi AP and my android devices/iPods.

    For the original question, I have decided to keep google blocked as a new IP anyways is resurfacing.  So even of one google IP is banned by Snort, another will be used thereafter and things go as intended.  Its just a PITA because this is causing disruptions betwen every time a portscan occurs and the service finds a new google IP to use..

    How did you manage your normal clients (desktop machine, everyday clients, etc) from the very sensitive ones and the ones you dont want to lock down too much? (i.e. guest wifi access, or loaner laptops?)


  • Moderator

    You can tune Snort/Suricata Portscans in the WAN interface / Preprocs Tab… There is a section called "Portscan Detection" where you can adjust the sensitivity, and also enter a whitelist of Scanners...



  • That signature in particular seems to be prone to false positives. I'd probably just disable it.



  • Google doesn't trust their own internal networks so why should anybody else?

    It is normal that Google is 24/7 online and a good basis for the scripts called bots (robots) and
    from there scans will be a long not able to get rid of them. So many "peoples" are placing then
    there bots into Google or other 24/7 sites. If you will be scanned ones more it is not unusual
    so if nothing is opened at the WAN interface you can be forget that scans.