0

I manage a dedicated server and I use IPset and APF to block country level IP's and individual offending IP's / ranges respectively.

My PHP scripts report MySql injection type post and get queries (like: ?query AND 1=1). Very often I get these reports from googleusercontent.com IP range.

I understand that these are google cloud VPS users and I want to block their IP ranges like this apf -d 35.228.0.0/14.

There are so many IP ranges associated with googleusercontent.com. If I start blocking them all, it'll eventually be an entire A class 35.xxx.xxx.xxx.

But my concern is that... I don't want to block any Google bots and prevent indexing of my sites. Can someone provide an insight on this topic?

Does Google Bots use any of these IP ranges? Am I safe to block googleusercontent.com IP ranges? Usually that start in 35.xxx.xxx.xxx

Jsp
  • 1
  • 1
  • 1

1 Answers1

1

Blocking the entire /8 would not only block a lot of legitimate GCE customers from accessing your site but would also block several other networks from accessing your site as the IP addresses in that range are owned by many different companies.

Even blocking individual IP addresses can cause harm as cloud products allow resources (including IP addresses) to be released when no longer in use and be reused for other customers.

Whois data provides information about who owns an IP range, what the exact range is, and what the procedure for handling abuse. In this case the procedure for handling abuse is to fill in this form: https://support.google.com/code/go/gce_abuse_report

The whois data as of this moment reads:

NetRange:       35.208.0.0 - 35.247.255.255
CIDR:           35.224.0.0/12, 35.240.0.0/13, 35.208.0.0/12
NetName:        GOOGLE-CLOUD
NetHandle:      NET-35-208-0-0-1
Parent:         NET35 (NET-35-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Google LLC (GOOGL-2)
RegDate:        2017-09-29
Updated:        2018-01-24
Comment:        *** The IP addresses under this Org-ID are in use by Google Cloud customers *** 
Comment:        
Comment:        Direct all copyright and legal complaints to 
Comment:        https://support.google.com/legal/go/report
Comment:        
Comment:        Direct all spam and abuse complaints to 
Comment:        https://support.google.com/code/go/gce_abuse_report
Comment:        
Comment:        For fastest response, use the relevant forms above.
Comment:        
Comment:        Complaints can also be sent to the GC Abuse desk 
Comment:        (google-cloud-compliance@google.com) 
Comment:        but may have longer turnaround times.
Ref:            https://rdap.arin.net/registry/ip/35.208.0.0

In addition to filing an abuse report I suggest you audit your system for presence of any security flaws of the type attempted to be exploited as well as others that may be targeted next. Blocking IP addresses isn't going to keep you secure from attacks. A sufficiently persistent attacker will be able to attack you again from other IP addresses outside the range you have blocked.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • thanks @kasperd for the information. Yes, my applications are secured against mysql injection, additionally it also emails me of the attempts. My sites don't provide individual sever to server resources. There are way too many attempts from all kinds of endpoints and it is not practical to even automate report abuse. Since the whois states `The IP addresses under this Org-ID are in use by Google Cloud customers` I prefer to block them, as they have no business with my sites. – Jsp Aug 19 '18 at 19:00
  • @Jsp If your site has any users, then one of those users could have a need to access your site through a service hosted on Google Cloud. – kasperd Aug 19 '18 at 22:26
  • I am the only user. – Jsp Aug 19 '18 at 23:23
  • @Jsp If you don't want anybody other than yourself using the site, then why do you want Google to index it? – kasperd Aug 19 '18 at 23:28
  • My mistake. I meant that its not a shared server. If I have a need to access a service hosted on Google Cloud, then I'll probable allow that IP – Jsp Aug 20 '18 at 04:49