Firewall Wizards mailing list archives
Re: More Doubleclick Scans?
From: Darren Reed <darrenr () reed wattle id au>
Date: Mon, 22 Nov 1999 09:01:26 +1100 (EST)
In some email I received from Matt Dunn, sie wrote: [...]
Some of the odd things that I've noticed: - The source port being http (and occasionally https), which would lead me to believe that these are actually outbound requests whose response is being dropped (state tables?)
Or maybe not! How would you rate their chances at successfully being able to `ping' the remote end if they used a stealth scanning technique such as FIN or ACK scanning compared to using UDP echo ports ?
- These are consistently banner ad servers, or at least related to a banner ad service.
Use squirm on your proxy servers and put in place regex's that change things like "http:.*doubleclick.*460x60.*" to be "http://localhost/blank_ad-460x60.gif". I use both squirm with squid and WebFilter with ye old CERN httpd and both work marvelously well in getting rid of ads. Much better than blackholing doubleclick.net locally in DNS or adding URL's to a deny.conf file. squirm: http://www.senet.com.au/squirm/ webfilter: http://math-www.uni-paderborn.de/~axel/NoShit/ junkbuster: http://www.waldherr.org/junkbuster/ (one of the above comes with a "blank_ad.gif" which can easily be resized to fit whichever geometry using xv :-) [...]
Is this a software bug with FW-1? Is this a malicious scan? If so, what the heck are they scanning for?
Attach a sniffer to the external network and monitor the packet flow. Darren
Current thread:
- More Doubleclick Scans? Matt Dunn (Nov 17)
- <Possible follow-ups>
- Re: More Doubleclick Scans? Matt Dunn (Nov 21)
- Re: More Doubleclick Scans? Darren Reed (Nov 22)
- RE: More Doubleclick Scans? jboles (Nov 22)
- Re: More Doubleclick Scans? Rex Telea (Nov 29)