RE: More Doubleclick Scans?

[jboles () libfungrp com]

Matt,

Can't claim to be anything resembling an expert, but I've noticed from some
of my own activities that these double click ads seem to 'refresh' from the
banner server about every three seconds or so.  If you want to see a keen
example of this, I'd suggest you go out and grab a copy of wrq's atguard
(www.atguard.com) which 'grelaford' on this list keeps advocating.  For $30
it's a kind of intuitive little sucker which will give you an analytical
tool, provided you can pop it onto a machine outside your firewall and have
the time to experiment with some activities, to replicate what you're seeing
in your FW1 log.


JB
> -----Original Message-----
> From: Matt Dunn [mailto:matt () electrocentric com]
> Sent: Thursday, November 18, 1999 12:01 PM
> To: firewall-wizards () lists nfr net
> Subject: Re: More Doubleclick Scans?
>
>
> I may have jumped to conclusions on my last post, but then 
> again I may not
> have. Things on my end are starting to smell more like a configuration
> problem, but there are some things that don't fit.
>
> Here's a bit more detail than before:
>
> The firewall in question is running Checkpoint FW-1/VPN-1 4.0 
> on a sparc 20
> running Solaris 2.6. NAT is set up so that all machines on the private
> network appear to the world as the external interface of the firewall
> machine, which is why (I'm pretty certain) the destination 
> field on the log
> entries indicates the firewall itself.
>
> I've got an amazing amount of log entries that look something 
> like this:
>
> Date | Time | Interface | Action | Service | Source | Destination |
> Protocol | S_Port
>
> 18Nov1999 | 11:28:30 | le0 | drop | 49036 | 
> mav8.doubleclick.net | firewall
> | tcp | http
> 18Nov1999 | 11:28:32 | le0 | drop | 49278 | 206.132.79.67 | 
> firewall | tcp
> | http
> 18Nov1999 | 11:28:32 | le0 | drop | 49279 | 206.132.79.67 | 
> firewall | tcp
> | http
> 18Nov1999 | 11:29:15 | le0 | drop | 49209 | 
> ads-real01.zdnet.com | firewall
> | tcp | http
>
> Despite the timestamps I've shown here, I'm averaging about 
> one of these
> every three seconds. 
>
> Some of the odd things that I've noticed: 
> - The source port being http (and occasionally https), which 
> would lead me
> to believe that these are actually outbound requests whose response is
> being dropped (state tables?)
> - These are consistently banner ad servers, or at least 
> related to a banner
> ad service.
> - There are many different banner ad services represented (I 
> gave three in
> the example above, the IP addresses are Link Exchange machines)
> - There is no way that there should be enough surfing going on for the
> location to even be requesting a banner ad every three 
> seconds, given the
> number of employees and what they 
> do. (this is hardly a scientific metric, but you can't ignore 
> gut feelings)
>
> The firewall configuration is fairly vanilla (only 10 active rules,
> including VPN capabilities), there are only about 50 computers in the
> building, and only about 30 people (pretty high server 
> ratio), and a sparc
> 20, while not exactly new, is what we like to call 'proven 
> technology,' so
> I'm pretty sure it should be able to handle the number of 
> connections we're
> talking about.
>
> The questions that I'm left with:
> Is this a software bug with FW-1?
> Is my hardware capable of handling current load?
> Why does this only seem to be happening with banner services?
> Is this a malicious scan? If so, what the heck are they scanning for?
> Why aren't my users reporting errors?
>
> If you have any questions I missed (on topic please), or better yet,
> possible answers, please let me know.
>
> Thanks in advance, 
>
> -Matt