Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More Doubleclick Scans?

From: "Rex Telea" <limbo_bolt () yahoo com>
Date: Fri, 26 Nov 1999 22:50:17 +0100
Sorry but you are to late for Atguard, it is sold to Symantec and after 22
November you won't be able to get Atguard from WRQ.


----- Original Message -----
From: <jboles () libfungrp com>
To: <firewall-wizards () nfr net>
Sent: Monday, November 22, 1999 3:16 PM
Subject: RE: More Doubleclick Scans?



Matt,

Can't claim to be anything resembling an expert, but I've noticed from

some

of my own activities that these double click ads seem to 'refresh' from

the

banner server about every three seconds or so.  If you want to see a keen
example of this, I'd suggest you go out and grab a copy of wrq's atguard
(www.atguard.com) which 'grelaford' on this list keeps advocating.  For

$30

it's a kind of intuitive little sucker which will give you an analytical
tool, provided you can pop it onto a machine outside your firewall and

have

the time to experiment with some activities, to replicate what you're

seeing

in your FW1 log.


JB

-----Original Message-----
From: Matt Dunn [mailto:matt () electrocentric com]
Sent: Thursday, November 18, 1999 12:01 PM
To: firewall-wizards () lists nfr net
Subject: Re: More Doubleclick Scans?


I may have jumped to conclusions on my last post, but then
again I may not
have. Things on my end are starting to smell more like a configuration
problem, but there are some things that don't fit.

Here's a bit more detail than before:

The firewall in question is running Checkpoint FW-1/VPN-1 4.0
on a sparc 20
running Solaris 2.6. NAT is set up so that all machines on the private
network appear to the world as the external interface of the firewall
machine, which is why (I'm pretty certain) the destination
field on the log
entries indicates the firewall itself.

I've got an amazing amount of log entries that look something
like this:

Date | Time | Interface | Action | Service | Source | Destination |
Protocol | S_Port

18Nov1999 | 11:28:30 | le0 | drop | 49036 |
mav8.doubleclick.net | firewall
| tcp | http
18Nov1999 | 11:28:32 | le0 | drop | 49278 | 206.132.79.67 |
firewall | tcp
| http
18Nov1999 | 11:28:32 | le0 | drop | 49279 | 206.132.79.67 |
firewall | tcp
| http
18Nov1999 | 11:29:15 | le0 | drop | 49209 |
ads-real01.zdnet.com | firewall
| tcp | http

Despite the timestamps I've shown here, I'm averaging about
one of these
every three seconds.

Some of the odd things that I've noticed:
- The source port being http (and occasionally https), which
would lead me
to believe that these are actually outbound requests whose response is
being dropped (state tables?)
- These are consistently banner ad servers, or at least
related to a banner
ad service.
- There are many different banner ad services represented (I
gave three in
the example above, the IP addresses are Link Exchange machines)
- There is no way that there should be enough surfing going on for the
location to even be requesting a banner ad every three
seconds, given the
number of employees and what they
do. (this is hardly a scientific metric, but you can't ignore
gut feelings)

The firewall configuration is fairly vanilla (only 10 active rules,
including VPN capabilities), there are only about 50 computers in the
building, and only about 30 people (pretty high server
ratio), and a sparc
20, while not exactly new, is what we like to call 'proven
technology,' so
I'm pretty sure it should be able to handle the number of
connections we're
talking about.

The questions that I'm left with:
Is this a software bug with FW-1?
Is my hardware capable of handling current load?
Why does this only seem to be happening with banner services?
Is this a malicious scan? If so, what the heck are they scanning for?
Why aren't my users reporting errors?

If you have any questions I missed (on topic please), or better yet,
possible answers, please let me know.

Thanks in advance,

-Matt
Previous By Date Next
Previous By Thread Next

Current thread: