Google says 2001:4860::/32 range belongs to “IP ranges that Google makes available to users on the internet”.
This suggests that these IP’s might belong to Google Cloud users, but on a reverse IP check, I see the domain name “googlezip.net”. I’ve seen on a couple of posts that this domain is related to Google Chrome’s data saving feature, or something of that nature.
Question is; we have started receiving these huge amount of requests over the past couple of weeks, I have checked the logs, there was nothing like this before, it’s sheer volume now. As far as I know, this feature is not new on Chrome, so it’d be curious as to why we started receiving these requests now.
Anyway, I wanted to ask the community whether anyone knows any better, is it possible to make sure whether these are genuine users using Chrome or some bots running on Google Cloud? I assume I can block the ASN range (AS15169) on WAF (adding an exception for Googlebot which uses the same ASN), but before doing that, I wanted to make sure they aren’t genuine users.
May I ask what kind of type of request are they making and to which “endpoints” landing?
Furthermore, is the request’s nature, juging to you, more like some kind of an exploit search web app trying to catch some .php script on your website?
Are they using an old HTTP/1.0 version?
What kind of an user-agent are do they contain?
On the other side, it’s true there are a lot of bots trying to mimic the good ones. Nevertheless, in the World of VPNs and Cloud hosting, it’s common to see a mixed IPs from different providers doing things.
It’d be interesting if you could share some more details what have you catched so far at Security → Overview tab for particular (if you’re sharing a screenshot or something similar, please be aware and mask/hide your website URL or server IP if it’s visible, due to public posting if so)
Are you using some kind of a RSS feed reader or submitted your Website to them?
Otherwise, despite not knowing the main language of the content on your Website, neither some more information, I could only guess, and ask, are you using Google News maybe?
Reminds me on a similar case what Facebook “scrapper bot” (regular one as described in Facebook FAQ) did, each month, revisiting all of the posted URLs poiting to one (or more) of my client’s Website, generating traffic and somewhat probing the “cached” version of the published articles ramping the CPU up in the sky
Here are some sample logs:
2001:4860:7:231::d4 - - [14/Jul/2022:03:24:55 +0300] “GET /{url-removed} HTTP/1.1” 200 3805 “-” “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
2001:4860:7:631::d1 - - [14/Jul/2022:03:25:31 +0300] “GET /{url-removed} HTTP/1.1” 200 4267 “-” “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
2001:4860:7:231::fa - - [14/Jul/2022:03:25:46 +0300] “GET /{url-removed} HTTP/1.1” 200 4317 “-” “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
2001:4860:7:231::d0 - - [14/Jul/2022:11:39:03 +0300] “GET /{url-removed} HTTP/1.1” 200 4853 “-” “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
2001:4860:7:231::f8 - - [14/Jul/2022:19:02:58 +0300] “GET /{url-removed} HTTP/1.1” 200 4440 “-” “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
2001:4860:7:631::ed - - [14/Jul/2022:19:02:58 +0300] “GET /{url-removed} HTTP/1.1” 200 22261 “-” “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
2001:4860:7:231::fa - - [14/Jul/2022:23:37:12 +0300] “GET /{url-removed} HTTP/1.1” 200 22261 “-” “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
The requests are made to normal, content pages on the website, the kind of pages a regular user would browse, but also a scraper. It’s pretty much the same user agent with all requests as far as I can see.
There’s something about Chrome’s Data Saver and the domain googlezip-net on this page.
PS: Another thing to note is that I can’t see any IP reputation problem with these IP’s with the tools I check. Although I have come across a page where they claim to sell “Google proxy” using (proxy.googlezip.net), I don’t know how they do that or whether it’s genuine. Not sharing that URL to avoid promoting that (probably illegal) website.
