Firewall Wizards mailing list archives
Re: More Doubleclick Scans?
From: Matt Dunn <matt () electrocentric com>
Date: Thu, 18 Nov 1999 13:01:11 -0500
I may have jumped to conclusions on my last post, but then again I may not have. Things on my end are starting to smell more like a configuration problem, but there are some things that don't fit. Here's a bit more detail than before: The firewall in question is running Checkpoint FW-1/VPN-1 4.0 on a sparc 20 running Solaris 2.6. NAT is set up so that all machines on the private network appear to the world as the external interface of the firewall machine, which is why (I'm pretty certain) the destination field on the log entries indicates the firewall itself. I've got an amazing amount of log entries that look something like this: Date | Time | Interface | Action | Service | Source | Destination | Protocol | S_Port 18Nov1999 | 11:28:30 | le0 | drop | 49036 | mav8.doubleclick.net | firewall | tcp | http 18Nov1999 | 11:28:32 | le0 | drop | 49278 | 206.132.79.67 | firewall | tcp | http 18Nov1999 | 11:28:32 | le0 | drop | 49279 | 206.132.79.67 | firewall | tcp | http 18Nov1999 | 11:29:15 | le0 | drop | 49209 | ads-real01.zdnet.com | firewall | tcp | http Despite the timestamps I've shown here, I'm averaging about one of these every three seconds. Some of the odd things that I've noticed: - The source port being http (and occasionally https), which would lead me to believe that these are actually outbound requests whose response is being dropped (state tables?) - These are consistently banner ad servers, or at least related to a banner ad service. - There are many different banner ad services represented (I gave three in the example above, the IP addresses are Link Exchange machines) - There is no way that there should be enough surfing going on for the location to even be requesting a banner ad every three seconds, given the number of employees and what they do. (this is hardly a scientific metric, but you can't ignore gut feelings) The firewall configuration is fairly vanilla (only 10 active rules, including VPN capabilities), there are only about 50 computers in the building, and only about 30 people (pretty high server ratio), and a sparc 20, while not exactly new, is what we like to call 'proven technology,' so I'm pretty sure it should be able to handle the number of connections we're talking about. The questions that I'm left with: Is this a software bug with FW-1? Is my hardware capable of handling current load? Why does this only seem to be happening with banner services? Is this a malicious scan? If so, what the heck are they scanning for? Why aren't my users reporting errors? If you have any questions I missed (on topic please), or better yet, possible answers, please let me know. Thanks in advance, -Matt
Current thread:
- More Doubleclick Scans? Matt Dunn (Nov 17)
- <Possible follow-ups>
- Re: More Doubleclick Scans? Matt Dunn (Nov 21)
- Re: More Doubleclick Scans? Darren Reed (Nov 22)
- RE: More Doubleclick Scans? jboles (Nov 22)
- Re: More Doubleclick Scans? Rex Telea (Nov 29)