Re: More Doubleclick Scans?

[Matt Dunn <matt () electrocentric com>]

I may have jumped to conclusions on my last post, but then again I may not
have. Things on my end are starting to smell more like a configuration
problem, but there are some things that don't fit.

Here's a bit more detail than before:

The firewall in question is running Checkpoint FW-1/VPN-1 4.0 on a sparc 20
running Solaris 2.6. NAT is set up so that all machines on the private
network appear to the world as the external interface of the firewall
machine, which is why (I'm pretty certain) the destination field on the log
entries indicates the firewall itself.

I've got an amazing amount of log entries that look something like this:

Date | Time | Interface | Action | Service | Source | Destination |
Protocol | S_Port

18Nov1999 | 11:28:30 | le0 | drop | 49036 | mav8.doubleclick.net | firewall
| tcp | http
18Nov1999 | 11:28:32 | le0 | drop | 49278 | 206.132.79.67 | firewall | tcp
| http
18Nov1999 | 11:28:32 | le0 | drop | 49279 | 206.132.79.67 | firewall | tcp
| http
18Nov1999 | 11:29:15 | le0 | drop | 49209 | ads-real01.zdnet.com | firewall
| tcp | http

Despite the timestamps I've shown here, I'm averaging about one of these
every three seconds. 

Some of the odd things that I've noticed: 
- The source port being http (and occasionally https), which would lead me
to believe that these are actually outbound requests whose response is
being dropped (state tables?)
- These are consistently banner ad servers, or at least related to a banner
ad service.
- There are many different banner ad services represented (I gave three in
the example above, the IP addresses are Link Exchange machines)
- There is no way that there should be enough surfing going on for the
location to even be requesting a banner ad every three seconds, given the
number of employees and what they 
do. (this is hardly a scientific metric, but you can't ignore gut feelings)

The firewall configuration is fairly vanilla (only 10 active rules,
including VPN capabilities), there are only about 50 computers in the
building, and only about 30 people (pretty high server ratio), and a sparc
20, while not exactly new, is what we like to call 'proven technology,' so
I'm pretty sure it should be able to handle the number of connections we're
talking about.

The questions that I'm left with:
Is this a software bug with FW-1?
Is my hardware capable of handling current load?
Why does this only seem to be happening with banner services?
Is this a malicious scan? If so, what the heck are they scanning for?
Why aren't my users reporting errors?

If you have any questions I missed (on topic please), or better yet,
possible answers, please let me know.

Thanks in advance, 

-Matt