Re: port 17027

[Bill_Royds () pch gc ca]

The Conducent adbot uses both port 17027 and ports 80 and 8080 for its traffic.
The 17027 seems to be a side channel for control while the http ports are used
to send the actual advertising banners using a POST/GET protocol. Since we have
a proxy firewall, the 17027 connect attempts are just dropped with a rst as you
suggest but the http are, of course answered.
There seems to be no problem blocking 17027 other than a regular (once every 5
minutes) retry. But if you block the http IP destination completely from a
connect (RST). while still answering other HTTP connect attempts, the adbot
retries a connect as fast as possible (10-20 times/second), causing a real
denial of service to the client and possibly to the firewall.
Since it is their client talking to their server, it is valid HTTP but not HTML
which gets around most firewalls. You need to have an HTTP session but with a
returned error code.
Here is some log entries for the HTTP connect attempts showing the URL format. I
don't have the actual content of the POST.



Apr 20 13:23:42.604 gate httpd[28691]: 121 Statistics: duration=0.03 id=15zmLe
sent=317 rcvd=402 srcif=hme0 src=172.23.201.112/1034 dstif=hme1
dst=216.33.199.72/80 dstname=bootstraps.conducent.com op=GET
arg=http://bootstraps.conducent.com:80//scripts/BootstrapServer.dll?ACBS&a=copier&s=32&c=%08ncuppen&u=01D823D9B30000000000000000000000000000321422001022900000000000000000000000000000&v=4000000

result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list)

Apr 20 13:56:46.069 gate httpd[28819]: 121 Statistics: duration=0.56 id=15A0eO
sent=317 rcvd=402 srcif=hme0 src=172.23.201.112/1064 dstif=hme1
dst=216.33.199.93/80 dstname=bootstraps.conducent.com op=GET
arg=http://bootstraps.conducent.com:80//scripts/BootstrapServer.dll?ACBS&a=copier&s=32&c=%08ncuppen&u=01D823D9B30000000000000000000000000000321422001022900000000000000000000000000000&v=4000000

result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list)

=======================================================

Apr 20 11:19:55.994 gate httpd[28120]: 121 Statistics: duration=0.01 id=15w5c3
sent=544 rcvd=402 srcif=hme0 src=172.23.11.140/1682 dstif=hme1
dst=216.33.199.109/8080 dstname=contents.conducent.com op=POST
arg=http://contents.conducent.com:8080/BeginSession?PVersion=1.0&CVersion=4000000&TVersion=1.0

result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list)

Apr 20 13:52:45.902 gate httpd[28454]: 121 Statistics: duration=0.50 id=15A3HY
sent=322 rcvd=402 srcif=hme0 src=172.23.11.140/1844 dstif=hme1
dst=216.33.199.93/80 dstname=bootstraps.conducent.com op=GET
arg=http://bootstraps.conducent.com:80//scripts/BootstrapServer.dll?ACBS&a=CuteFTP&s=40&c=%0cGlobalSCAPE&u=01D823D9B40000000000000000000000000000469002001041900000000000000000000000000000&v=4000000

result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list)

Apr 20 13:52:47.616 gate httpd[28691]: 121 Statistics: duration=0.01 id=15A7vo
sent=544 rcvd=402 srcif=hme0 src=172.23.11.140/1848 dstif=hme1
dst=216.33.199.121/8080 dstname=contents.conducent.com op=POST
arg=http://contents.conducent.com:8080/BeginSession?PVersion=1.0&CVersion=4000000&TVersion=1.0

result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list)

Apr 20 13:52:47.574 gate httpd[29090]: 121 Statistics: duration=0.01 id=15AbEl
sent=542 rcvd=402 srcif=hme0 src=172.23.11.140/1847 dstif=hme1
dst=216.33.199.123/80 dstname=contents.conducent.com op=POST
arg=http://contents.conducent.com:80/BeginSession?PVersion=1.0&CVersion=4000000&TVersion=1.0

result="403 Forbidden" proto=http rule=311 (Couldn't find approved URL list)


The IP range is rather large being 216.33.198.0/23

There was a big flap recently about Aureate/Radiant software that did a similar
thing.





"Paul D. Robertson" <proberts () clark net> on 2000/04/19 17:29:29

Please respond to "Paul D. Robertson" <proberts () clark net>
                                                              
                                                              
                                                              
 To:      Bill Royds/HullOttawa/PCH/CA@PCH                    
                                                              
 cc:      Ken Fox <kenfox () starlinx com>,                      
          firewall-wizards () nfr net                            
                                                              
                                                              
                                                              
 Subject: Re: [fw-wiz] port 17027                             
                                                              





On Wed, 12 Apr 2000 Bill_Royds () pch gc ca wrote:

> You have people who have installed "adware" with ads from Conducent, shareware
> programs that go get advertising to show on the desktop from these sites.  IF
> you check HTTP traffic to those same IP's you will find a lot more, but if you
> block the HTTP, the programs will try to blow away your network with about
10-15
> connect attemtps a second. Best to have companty policy to not install
shareware
> without permission.
> Look in the clients registry for entries for Conducent, Timesink or Aureate.

Why not route those networks internally and set up a NetBSD box with a
return-rst rule. or have they not accounted for their servers not
answering?

Why limit the policy to shareware?  Nothing stops a commercial software
vendor from doing the same thing.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280