Why are Google web servers performing nmap scans?

Hey all,

Please bear with me, this may be a long explanation. Also, if this belongs in a different sub, please let me know. I am continually getting complaints from employees that Google searches are sporadically timing out throughout the day. This occurs with different computers, different browsers, etc. This is not an isolated incident. With much troubleshooting, I have eliminated the local network and DNS as being the culprit.

Come to find out, other Google services are also having issues on the network. I have pfsense running Snort for IPS and noticed Google services just magically worked again after clearing out the Snort block list. After doing some digging, I noticed some Nmap scans being detected from 1e100.net addresses. Ok, maybe some bot is using Google's servers for attacks. Nope. From my firewall log:

51 SCAN NMAP -sA (2) — 2020-07-27 04:31:36

This IP resolves to www.google.com. Let's resolve www.google.com and see if what server I get routed to next.

Microsoft Windows [Version 10.0.18362.959]

(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\REMOVEDFORPRIVACY>tracert www.google.com

Tracing route to www.google.com []

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms REMOVED FOR PRIVACY]

2 8 ms 8 ms 11 ms REMOVED FOR PRIVACY

3 9 ms 8 ms 8 ms REMOVED FOR PRIVACY

4 9 ms 9 ms 10 ms REMOVED FOR PRIVACY

5 13 ms 15 ms 17 ms be-33490-cr01.seattle.wa.ibone.comcast.net []

6 16 ms 15 ms 21 ms be-2411-pe11.seattle.wa.ibone.comcast.net []

7 18 ms 17 ms 14 ms

8 15 ms 15 ms 15 ms

9 14 ms 14 ms 13 ms

10 13 ms 13 ms 14 ms sea15s07-in-f4.1e100.net []

Trace complete.

Same subnet. So, why are Google's web servers performing nmap scans against random IP addresses? This seems a bit brazen, even for Google. Is anyone else seeing this? If so, what have you done about it?

Edit: Removed personal info.

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s