Firewall Wizards mailing list archives
Re: port 17027
From: Bill_Royds () pch gc ca
Date: Fri, 21 Apr 2000 12:50:43 -0400
The Conducent adbot uses both port 17027 and ports 80 and 8080 for its traffic. The 17027 seems to be a side channel for control while the http ports are used to send the actual advertising banners using a POST/GET protocol. Since we have a proxy firewall, the 17027 connect attempts are just dropped with a rst as you suggest but the http are, of course answered. There seems to be no problem blocking 17027 other than a regular (once every 5 minutes) retry. But if you block the http IP destination completely from a connect (RST). while still answering other HTTP connect attempts, the adbot retries a connect as fast as possible (10-20 times/second), causing a real denial of service to the client and possibly to the firewall. Since it is their client talking to their server, it is valid HTTP but not HTML which gets around most firewalls. You need to have an HTTP session but with a returned error code. Here is some log entries for the HTTP connect attempts showing the URL format. I don't have the actual content of the POST. Apr 20 13:23:42.604 gate httpd[28691]: 121 Statistics: duration=0.03 id=15zmLe sent=317 rcvd=402 srcif=hme0 src=172.23.201.112/1034 dstif=hme1 dst=216.33.199.72/80 dstname=bootstraps.conducent.com op=GET arg=http://bootstraps.conducent.com:80//scripts/BootstrapServer.dll?ACBS&a=copier&s=32&c=%08ncuppen&u=01D823D9B30000000000000000000000000000321422001022900000000000000000000000000000&v=4000000 result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list) Apr 20 13:56:46.069 gate httpd[28819]: 121 Statistics: duration=0.56 id=15A0eO sent=317 rcvd=402 srcif=hme0 src=172.23.201.112/1064 dstif=hme1 dst=216.33.199.93/80 dstname=bootstraps.conducent.com op=GET arg=http://bootstraps.conducent.com:80//scripts/BootstrapServer.dll?ACBS&a=copier&s=32&c=%08ncuppen&u=01D823D9B30000000000000000000000000000321422001022900000000000000000000000000000&v=4000000 result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list) ======================================================= Apr 20 11:19:55.994 gate httpd[28120]: 121 Statistics: duration=0.01 id=15w5c3 sent=544 rcvd=402 srcif=hme0 src=172.23.11.140/1682 dstif=hme1 dst=216.33.199.109/8080 dstname=contents.conducent.com op=POST arg=http://contents.conducent.com:8080/BeginSession?PVersion=1.0&CVersion=4000000&TVersion=1.0 result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list) Apr 20 13:52:45.902 gate httpd[28454]: 121 Statistics: duration=0.50 id=15A3HY sent=322 rcvd=402 srcif=hme0 src=172.23.11.140/1844 dstif=hme1 dst=216.33.199.93/80 dstname=bootstraps.conducent.com op=GET arg=http://bootstraps.conducent.com:80//scripts/BootstrapServer.dll?ACBS&a=CuteFTP&s=40&c=%0cGlobalSCAPE&u=01D823D9B40000000000000000000000000000469002001041900000000000000000000000000000&v=4000000 result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list) Apr 20 13:52:47.616 gate httpd[28691]: 121 Statistics: duration=0.01 id=15A7vo sent=544 rcvd=402 srcif=hme0 src=172.23.11.140/1848 dstif=hme1 dst=216.33.199.121/8080 dstname=contents.conducent.com op=POST arg=http://contents.conducent.com:8080/BeginSession?PVersion=1.0&CVersion=4000000&TVersion=1.0 result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list) Apr 20 13:52:47.574 gate httpd[29090]: 121 Statistics: duration=0.01 id=15AbEl sent=542 rcvd=402 srcif=hme0 src=172.23.11.140/1847 dstif=hme1 dst=216.33.199.123/80 dstname=contents.conducent.com op=POST arg=http://contents.conducent.com:80/BeginSession?PVersion=1.0&CVersion=4000000&TVersion=1.0 result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list) The IP range is rather large being 216.33.198.0/23 There was a big flap recently about Aureate/Radiant software that did a similar thing. "Paul D. Robertson" <proberts () clark net> on 2000/04/19 17:29:29 Please respond to "Paul D. Robertson" <proberts () clark net> To: Bill Royds/HullOttawa/PCH/CA@PCH cc: Ken Fox <kenfox () starlinx com>, firewall-wizards () nfr net Subject: Re: [fw-wiz] port 17027 On Wed, 12 Apr 2000 Bill_Royds () pch gc ca wrote:
You have people who have installed "adware" with ads from Conducent, shareware programs that go get advertising to show on the desktop from these sites. IF you check HTTP traffic to those same IP's you will find a lot more, but if you block the HTTP, the programs will try to blow away your network with about
10-15
connect attemtps a second. Best to have companty policy to not install
shareware
without permission. Look in the clients registry for entries for Conducent, Timesink or Aureate.
Why not route those networks internally and set up a NetBSD box with a return-rst rule. or have they not accounted for their servers not answering? Why limit the policy to shareware? Nothing stops a commercial software vendor from doing the same thing. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- port 17027 Ken Fox (Apr 10)
- Re: port 17027 S. Jonah Pressman (Apr 13)
- Re: port 17027 Frank L. Heidt (Apr 18)
- <Possible follow-ups>
- Re: port 17027 Robert Graham (Apr 13)
- Re: port 17027 Bill_Royds (Apr 18)
- Re: port 17027 Paul D. Robertson (Apr 20)
- Re: port 17027 ark (Apr 18)
- RE: port 17027 Ray, Garrett - Mclean (Apr 20)
- Re: port 17027 Bill_Royds (Apr 24)