Firewall Wizards mailing list archives
Re: TCP port 7 traffic from DoubleClick
From: Chris Brenton <cbrenton () sover net>
Date: Mon, 05 Jul 1999 17:36:45 -0400
Greg Nowicki wrote:
My firewall has been logging a persistent stream of TCP connection attempts to port 7 (echo) from six hosts belonging to DoubleClick. I would like to know if anyone else on the list has observed this?
Absolutely. What you are seeing are the obnoxious reverse connections a number of sites like DoubleClick are using these days in order to zone in on your physical location. You may also see connection attempts to TCP/53 and ECHO-Request. The "claim" is that this is being done in order to serve you up data from the closest Web server to your location, but I've seen a number of concerns that this may be yet another attempt by DoubleClick to gain as much information on Web surfers as possible. At the very least, its bad form and a waste of bandwidth as I would expect less than 1% of the DNS servers on the wire leave TCP-Echo open. Its just too easy to exploit. Speaking of which, has anyone noticed what Altavista has been up to these days? If you have a DoubleClick cookie entry, try the following: 1) Go to http://www.altavista.com 2) Enter a search string 3) Sniff your outbound connection What you will see is the local system creating a connection to: http://ad.doubleclick.net/adi/altivista.digital.com/ in order to send the following string: result_front;kw=all+search+words+you+entered;ord=nine_digit_ID_number I still need to get my ducks lined up on this one, but I believe the "odr" number is your DoubleClick ID/Cookie number. If this is true, then Altavista is reporting to DoubleClick any searches you perform on their site. Scary stuff. I have not seen this with any other major search engine. I'm also curious if anyone has seen this type of activity when they place an on-line order. The possibilities get really scary if you add personal information to the data that DoubleClick is already collecting. And to think we where worried about the government becoming "Big Brother". ;) Just wondering if anyone else has played around with this stuff and can confirm or deny. Cheers, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- TCP port 7 traffic from DoubleClick Greg Nowicki (Jul 05)
- Re: TCP port 7 traffic from DoubleClick Chris Brenton (Jul 05)
- Re: TCP port 7 traffic from DoubleClick C. Harald Koch (Jul 06)
- Re: TCP port 7 traffic from DoubleClick George Ross (Jul 07)
- Re: TCP port 7 traffic from DoubleClick Joseph S D Yao (Jul 08)
- Re: TCP port 7 traffic from DoubleClick dreamwvr (Jul 12)
- Re: TCP port 7 traffic from DoubleClick David Lang (Jul 08)
- Re: TCP port 7 traffic from DoubleClick C. Harald Koch (Jul 06)
- Re: TCP port 7 traffic from DoubleClick James Burns (Jul 07)
- Re: TCP port 7 traffic from DoubleClick Chris Brenton (Jul 05)
- Re: TCP port 7 traffic from DoubleClick C. Harald Koch (Jul 06)
- Re: TCP port 7 traffic from DoubleClick Joseph S D Yao (Jul 12)
- <Possible follow-ups>
- Re: TCP port 7 traffic from DoubleClick Vern Paxson (Jul 06)
- Re: TCP port 7 traffic from DoubleClick Neil Ratzlaff (Jul 09)