|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: TCP port 7 traffic from DoubleClick
Chris Brenton (cbrenton
sover.net)
Mon, 05 Jul 1999 17:36:45 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Arjan Vos: "Re: Extreme Hacking"
- Previous message: Mrten: "Re: Defaced Web pages"
- In reply to: Ken Hardy: "Re: Defaced Web pages"
- Next in thread: C. Harald Koch: "Re: TCP port 7 traffic from DoubleClick"
- Reply: C. Harald Koch: "Re: TCP port 7 traffic from DoubleClick"
Greg Nowicki wrote:
>
> My firewall has been logging a persistent stream of TCP connection attempts
> to port 7 (echo) from six hosts belonging to DoubleClick. I would like to
> know if anyone else on the list has observed this?
Absolutely. What you are seeing are the obnoxious reverse connections a
number of sites like DoubleClick are using these days in order to zone
in on your physical location. You may also see connection attempts to
TCP/53 and ECHO-Request.
The "claim" is that this is being done in order to serve you up data
from the closest Web server to your location, but I've seen a number of
concerns that this may be yet another attempt by DoubleClick to gain as
much information on Web surfers as possible.
At the very least, its bad form and a waste of bandwidth as I would
expect less than 1% of the DNS servers on the wire leave TCP-Echo open.
Its just too easy to exploit.
Speaking of which, has anyone noticed what Altavista has been up to
these days? If you have a DoubleClick cookie entry, try the following:
1) Go to http://www.altavista.com
2) Enter a search string
3) Sniff your outbound connection
What you will see is the local system creating a connection to:
http://ad.doubleclick.net/adi/altivista.digital.com/
in order to send the following string:
result_front;kw=all+search+words+you+entered;ord=nine_digit_ID_number
I still need to get my ducks lined up on this one, but I believe the
"odr" number is your DoubleClick ID/Cookie number. If this is true, then
Altavista is reporting to DoubleClick any searches you perform on their
site. Scary stuff. I have not seen this with any other major search
engine.
I'm also curious if anyone has seen this type of activity when they
place an on-line order. The possibilities get really scary if you add
personal information to the data that DoubleClick is already collecting.
And to think we where worried about the government becoming "Big
Brother". ;)
Just wondering if anyone else has played around with this stuff and can
confirm or deny.
Cheers,
Chris
-- ************************************** cbrenton* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
- Next message: Arjan Vos: "Re: Extreme Hacking"
- Previous message: Mrten: "Re: Defaced Web pages"
- In reply to: Ken Hardy: "Re: Defaced Web pages"
- Next in thread: C. Harald Koch: "Re: TCP port 7 traffic from DoubleClick"
- Reply: C. Harald Koch: "Re: TCP port 7 traffic from DoubleClick"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:02 CDT