Re: More Doubleclick Scans?

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Matt Dunn, sie wrote:
[...]
> Some of the odd things that I've noticed: 
> - The source port being http (and occasionally https), which would lead me
> to believe that these are actually outbound requests whose response is
> being dropped (state tables?)

Or maybe not!  How would you rate their chances at successfully being able
to `ping' the remote end if they used a stealth scanning technique such as
FIN or ACK scanning compared to using UDP echo ports ?

> - These are consistently banner ad servers, or at least related to a banner
> ad service.

Use squirm on your proxy servers and put in place regex's that change
things like "http:.*doubleclick.*460x60.*" to be
"http://localhost/blank_ad-460x60.gif";.

I use both squirm with squid and WebFilter with ye old CERN httpd and both
work marvelously well in getting rid of ads.  Much better than blackholing
doubleclick.net locally in DNS or adding URL's to a deny.conf file.

squirm:
http://www.senet.com.au/squirm/

webfilter:
http://math-www.uni-paderborn.de/~axel/NoShit/

junkbuster:
http://www.waldherr.org/junkbuster/

(one of the above comes with a "blank_ad.gif" which can easily be resized to
 fit whichever geometry using xv :-)

[...]
> Is this a software bug with FW-1?
> Is this a malicious scan? If so, what the heck are they scanning for?

Attach a sniffer to the external network and monitor the packet flow.

Darren