LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-23-2001, 10:10 AM   #1
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Rep: Reputation: 15
Need ideas to block traffic from advertisement servers


I am using Redhat 7.1 on Intel as a gateway for internal LAN.
Thanks to Razbot who got me setup with firewall rules.
Now I am trying to stop junk ad traffic into my LAN, I noticed too many webpages contains too many links to ad servers such as ad.doubleclick.net, these link often contain anoying amination graphics, that consumes too much my network bandwidth and pc memory.

Initially the solution appears to be very simple one, - if I can dig/nslookup out the ad server's ip address, then I establish rules to reject traffic based on source ip address. But the
problem is: ad server ip address seems hopping or rotating
ip address. You can block one or two or more ip, but it just keeps coming from another ip.

Because I am also concerned over the rumors that ad servers can snoop on user's pc or on users using java or cookies, to
save network bandwidth, it better for me to stop junk traffic. So I haven't decide to give up.

To find out ad server addresses, I can do a simple ping: ping ad.doubleclick.net:
PING gd3.doubleclick.net (208.32.211.200) from 192.168.1.92 :
56(84) bytes of data.
64 bytes from 208.32.211.200: icmp_seq=0 ttl=243 time=84.309 msec

With the ip handy, I added its ip to the ipchains block list:
ipchains -A input -s 208.32.211.200 -j REJECT
ipchains -A output -d 208.32.211.200 -j REJECT

but ads keeps coming from another ip, then another ip...

I am using my linux box as a caching dns server, I don't quite understand why nslookup or dig result keeps hopping or changing for the same host: ad.doubleclick.net

Here is a list of ip addresses I dig out, and it seems the results just keep changing and growing, I thought perhaps I should stop digging now and seeking advise from net users.

208.184.29.70
204.253.104.45
208.184.29.110
206.65.183.110
204.253.104.95
204.253.104.30
208.184.29.50
209.67.38.106
208.184.29.70
206.65.183.80
209.67.38.106
209.67.38.102
204.253.104.45
204.253.104.30
208.32.211.200
208.184.29.130
206.65.183.155
208.184.29.50
.....

Any suggestions for a simple way to stop ads coming to internal LAN from ad servers such as doubleclick.net and ads.web.aol.com ?
thanks a lot.
 
Old 06-23-2001, 10:25 AM   #2
rshaw
Senior Member
 
Registered: Apr 2001
Location: Perry, Iowa
Distribution: Mepis , Debian
Posts: 2,692

Rep: Reputation: 45
junkbuster or guidescope

www.junkbuster.com
 
Old 06-23-2001, 11:36 AM   #3
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
blocking ad servers

I got some good answer from linux security FAQ,
http://www.linuxsecurity.com/docs/colsfaq.html#3.6
but I'd appreciate any further comments and input. thanks.
 
Old 06-23-2001, 11:53 AM   #4
sulin7
LQ Newbie
 
Registered: Jun 2001
Location: new york CITYYYY
Distribution: SuSE 7.1
Posts: 7

Rep: Reputation: 0
what about blocking a range of ip address

i notice from your list

208.184.29.whatever comes up

so block 208.184.29.all

i dont have this problem yet but i plan to setup a gateway for my lan so if you do solve it i would appreciate been kept informed



 
Old 06-23-2001, 12:53 PM   #5
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
I may have blocked them.

Tanks for your suggestoins, I checked junkbuster.com, it doesn't seem to be something can run on linux as a gateway.
So, I guess its better for me focus on rules with the ipchains.
Now after I put following rules into my ipchains firewall, I no longer see any connections from my LAN to doubleclick.net. Maybe it starts working, but I am not sure, because even though I don't see connections to the mentioned ad server, I still see my browser window filled with ads, perhaps those webpages links to ad servers in multiple domains.

ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
ipchains -A output -d 208.184.29.0/24 -j REJECT
ipchains -A output -d 208.211.255.0/24 -j REJECT
ipchains -A output -d 209.67.38.0/24 -j REJECT
ipchains -A output -d 204.253.104.0/24 -j REJECT
ipchains -A output -d 206.65.183.0/24 -j REJECT
ipchains -A output -d 206.67.38.0/24 -j REJECT
ipchains -A output -d 208.32.211.0/24 -j REJECT

with above rules inserted,
ipchain -L -M no longer shows connection to doubleclick.net,
but there are connections possibly to other ad servers:
....
TCP 01:43.00 air2.mydoman centrport-sjdc-201-123.digisle.net 2740 (61469) -> http
TCP 01:38.75 air2.mydomain imgfarm.snv.mediaplex.com 2729 (61464) -> http
.....

Now I'm trying to get rid ads from these junk servers next.
 
Old 06-25-2001, 07:14 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Have you really looked at junkbuster?

Code:
10.0.0.2-->10.0.0.1--------->Net
Netscape-->junkbuster:8080-->Whatever
or
Code:
10.0.0.2-->10.0.0.1
Netscape-->junkbuster:8080
		V
       Delegate/Squid:3128--------->Whatever
can do just fine, only need to block -p tcp -y -s'es on :8080 and :3128 for outsiders trying to connect in.
Junkbuster has ACL's, blocklists, forwarders to other proxies and also does blocking based on regex, now let me see you do that with chains :-]
 
Old 06-25-2001, 08:58 PM   #7
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
Thanks unSpawn.

Thanks for your ideas. I think the ipchains are working good enough. You are welcome try to break in, if you'll suceed, tell me how you did it, or where is the weakness, and I'll send you a small gift. Where are you located by the way? I am in Allen, Texas US. My linux box is: luna.rockstone.com. Try anything but DoS attack, so I can still have bandwidth to communicate. I'd be glad to share what I have with ipchains in place. Best regards.
 
Old 06-26-2001, 05:11 AM   #8
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
UnSpawn,

Your welcome to scan it for weakness as I've had my hands in it setting up the firewall.

Dos attacks won't work very well as I've been there too.

/Raz
 
Old 07-01-2001, 02:27 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
From the replies (Lion/Raz) of both of you I can see you don't get what I'm saying, which I find very strange, especially from you Raz.

Please reread my reply and tell me where I mentioned DoS attacks and where I am even stupid enuff to even volunteer DoSSing him. Even if someone had a lack of common sense in choosing weapons, choosing a target like that would just be a plain waste of time (as in know your Cable IANA ranges).

IPChains IMO aren't difficult to set up with a 'lil bit of knowledge & testing. They can be made as dynamic as you would like it. Adding a few hosts won't hurt. It's just not efficient for filtering, its a way crude solution (Like the russians using a welded iron bar and screw for a hammer at chernobyl).

Where you would block 20 IP's for counters/ads I would just do
Code:
/*.*/((digi|fast|fp|hit|nph|smart|www)[._-]?)?count(er|web)?[0-9]*(\.[a-z]*)?(/|\?)
or
Code:
/*.*/adv((er)?ts?|ertis(ing|ements?))?/
.
See what I mean?
 
Old 07-01-2001, 03:37 PM   #10
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
Hi UnSawn, sorry if you felt I misunderstood you, but your 'code' seems are way top above me. Could you explain what do you mean by "10.0.0.2-->10.0.0.1--------->Net
Netscape-->junkbuster:8080-->Whatever" ?
Do you mean just add junk ads servers to local hosts file and have them point to localhost, so requests to those severs would actually never reachto the real server, therefore effectively blocking them? I am not sure how junkbuster.com works, but I'd try to avoid using a external proxy server.

And how does your 2nd row of code work, and where or which I put the code in?

--------------------------------------------------------------------------------/*.*/((digi|fast|fp|hit|nph|smart|www)[._-]?)?count(er|web)?[0-9]*(\.[a-z]*)?(/|\?)--------------------------------------------------------------------------------

Well, I have another machine which is not on cable, which does not have any type of firewall running, would you be interested to test see if you can penetrate or not? The ip is: 216.36.126.92
 
Old 07-02-2001, 04:43 AM   #11
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
UnSpawn, your correct I did misunderstand what you were getting at, but you also misunderstood what we meant in the reply, i.e you are welcome to have a look as "you" could add some constructive value.

Anyway,
I've given up on blocking ad's as my connection is fast enough and they are always designing ways to get you to stop blocking them, for example I stopped an ad server the other day and it decided this also meant I wasn't allowed to access the website.
"as in counter-blocking the blocker"

/Raz
 
Old 07-02-2001, 07:25 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Ok, the code lines are regular expression examples Junkbuster uses to show how versatile it is in comparison to the "rigid" approach of blocking IP's.

The first line you mention in your last reply was to show you could run Junkbuster in a central position (fi. on a gw) increasing efficiency by having all filter rules in one place.

The second thing, /etc/hosts, is a solution similar to ipchains filtering, it isn't a fine-grained approach Id say.

If youre interested in setting up Junkbuster for a trial Ill answer any questions you have, it shouldnt be in the sec.forum then tho, but in networking/general.

I take pen-testing your Rockstone RH(7.1?) Apache/DAV/SSL/PERL/PHP in consideration.
 
Old 07-02-2001, 09:47 AM   #13
#!
Member
 
Registered: May 2001
Distribution: RedHat, 'drake, suse, slack, gentoo, beehive, lfs...
Posts: 43

Rep: Reputation: 15
you could also set up Apache with mod_rewrite, and make rewrite rules to redirect incoming banner ads to an image on your local machine. This is not IP dependent, which is nice, though you can use an IP if you want. You can use a regex to identify a domain name where the banner comes from, and any space on the webpage normally taken up by the banner will now contain your local image, which saves a ton of bandwidth and is prettier than broken image files.

At that point, you would then point everyone on your network to look at Apache as a proxy. I used to do this when I shared a 56k connection and it was awesome.
 
Old 07-02-2001, 10:47 AM   #14
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
Ok, thanks for the explanation and offer for help UnSpawn, at this moment, I am happy with what I have - the ipchains based firewall, unless someone can prove to me it is inefficient or penetrable. So, I probably won't try junkbuster for a while.

Yes, I confirm 216.36.126.92 is a Redhat 7.1, it has Apache running, but pretty much default installation, but with some update installed. It is not a honeypot. No IDS or any monitoring thing, but I might try to install something on in next few days. Currently it is sitting there idle.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
possible to block msn traffic? flamesrock Linux - Software 3 05-26-2005 09:10 PM
Block outgoing traffic through router? Micro420 Linux - Networking 3 03-15-2005 07:01 AM
How can block my SMTP Traffic? krishnakishore Linux - Networking 3 06-19-2004 07:49 AM
Setting ip tables to block all traffic LinuxBAH Linux - Security 1 02-07-2004 06:15 AM
Block Kazaa2 traffic jekyl Linux - Security 4 03-13-2003 03:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration