LinuxQuestions.org - Need ideas to block traffic from advertisement servers

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Need ideas to block traffic from advertisement servers (https://www.linuxquestions.org/questions/linux-security-4/need-ideas-to-block-traffic-from-advertisement-servers-3638/)

Need ideas to block traffic from advertisement servers

I am using Redhat 7.1 on Intel as a gateway for internal LAN.
Thanks to Razbot who got me setup with firewall rules.
Now I am trying to stop junk ad traffic into my LAN, I noticed too many webpages contains too many links to ad servers such as ad.doubleclick.net, these link often contain anoying amination graphics, that consumes too much my network bandwidth and pc memory.

Initially the solution appears to be very simple one, - if I can dig/nslookup out the ad server's ip address, then I establish rules to reject traffic based on source ip address. But the
problem is: ad server ip address seems hopping or rotating
ip address. You can block one or two or more ip, but it just keeps coming from another ip.

Because I am also concerned over the rumors that ad servers can snoop on user's pc or on users using java or cookies, to
save network bandwidth, it better for me to stop junk traffic. So I haven't decide to give up.

To find out ad server addresses, I can do a simple ping: ping ad.doubleclick.net:
PING gd3.doubleclick.net (208.32.211.200) from 192.168.1.92 :
56(84) bytes of data.
64 bytes from 208.32.211.200: icmp_seq=0 ttl=243 time=84.309 msec

With the ip handy, I added its ip to the ipchains block list:
ipchains -A input -s 208.32.211.200 -j REJECT
ipchains -A output -d 208.32.211.200 -j REJECT

but ads keeps coming from another ip, then another ip...

I am using my linux box as a caching dns server, I don't quite understand why nslookup or dig result keeps hopping or changing for the same host: ad.doubleclick.net

Here is a list of ip addresses I dig out, and it seems the results just keep changing and growing, I thought perhaps I should stop digging now and seeking advise from net users.

208.184.29.70
204.253.104.45
208.184.29.110
206.65.183.110
204.253.104.95
204.253.104.30
208.184.29.50
209.67.38.106
208.184.29.70
206.65.183.80
209.67.38.106
209.67.38.102
204.253.104.45
204.253.104.30
208.32.211.200
208.184.29.130
206.65.183.155
208.184.29.50
.....

Any suggestions for a simple way to stop ads coming to internal LAN from ad servers such as doubleclick.net and ads.web.aol.com ?
thanks a lot.

junkbuster or guidescope

www.junkbuster.com

blocking ad servers

I got some good answer from linux security FAQ,
http://www.linuxsecurity.com/docs/colsfaq.html#3.6
but I'd appreciate any further comments and input. thanks.

what about blocking a range of ip address

i notice from your list

208.184.29.whatever comes up

so block 208.184.29.all

i dont have this problem yet but i plan to setup a gateway for my lan so if you do solve it i would appreciate been kept informed

:newbie:

I may have blocked them.

Tanks for your suggestoins, I checked junkbuster.com, it doesn't seem to be something can run on linux as a gateway.
So, I guess its better for me focus on rules with the ipchains.
Now after I put following rules into my ipchains firewall, I no longer see any connections from my LAN to doubleclick.net. Maybe it starts working, but I am not sure, because even though I don't see connections to the mentioned ad server, I still see my browser window filled with ads, perhaps those webpages links to ad servers in multiple domains.

ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
ipchains -A output -d 208.184.29.0/24 -j REJECT
ipchains -A output -d 208.211.255.0/24 -j REJECT
ipchains -A output -d 209.67.38.0/24 -j REJECT
ipchains -A output -d 204.253.104.0/24 -j REJECT
ipchains -A output -d 206.65.183.0/24 -j REJECT
ipchains -A output -d 206.67.38.0/24 -j REJECT
ipchains -A output -d 208.32.211.0/24 -j REJECT

with above rules inserted,
ipchain -L -M no longer shows connection to doubleclick.net,
but there are connections possibly to other ad servers:
....
TCP 01:43.00 air2.mydoman centrport-sjdc-201-123.digisle.net 2740 (61469) -> http
TCP 01:38.75 air2.mydomain imgfarm.snv.mediaplex.com 2729 (61464) -> http
.....

Now I'm trying to get rid ads from these junk servers next.

Have you really looked at junkbuster?

Code:

10.0.0.2-->10.0.0.1--------->Net

Netscape-->junkbuster:8080-->Whatever

Code:

10.0.0.2-->10.0.0.1

Netscape-->junkbuster:8080

                V

      Delegate/Squid:3128--------->Whatever

can do just fine, only need to block -p tcp -y -s'es on :8080 and :3128 for outsiders trying to connect in.
Junkbuster has ACL's, blocklists, forwarders to other proxies and also does blocking based on regex, now let me see you do that with chains :-]

Thanks for your ideas. I think the ipchains are working good enough. You are welcome try to break in, if you'll suceed, tell me how you did it, or where is the weakness, and I'll send you a small gift. Where are you located by the way? I am in Allen, Texas US. My linux box is: luna.rockstone.com. Try anything but DoS attack, so I can still have bandwidth to communicate. I'd be glad to share what I have with ipchains in place. Best regards.

UnSpawn,

Your welcome to scan it for weakness as I've had my hands in it setting up the firewall. :D

Dos attacks won't work very well as I've been there too.

/Raz

From the replies (Lion/Raz) of both of you I can see you don't get what I'm saying, which I find very strange, especially from you Raz.

Please reread my reply and tell me where I mentioned DoS attacks and where I am even stupid enuff to even volunteer DoSSing him. Even if someone had a lack of common sense in choosing weapons, choosing a target like that would just be a plain waste of time (as in know your Cable IANA ranges).

IPChains IMO aren't difficult to set up with a 'lil bit of knowledge & testing. They can be made as dynamic as you would like it. Adding a few hosts won't hurt. It's just not efficient for filtering, its a way crude solution (Like the russians using a welded iron bar and screw for a hammer at chernobyl).

Where you would block 20 IP's for counters/ads I would just do

Code:

/*.*/((digi|fast|fp|hit|nph|smart|www)[._-]?)?count(er|web)?[0-9]*(\.[a-z]*)?(/|\?)

Code:

/*.*/adv((er)?ts?|ertis(ing|ements?))?/

.
See what I mean?

Hi UnSawn, sorry if you felt I misunderstood you, but your 'code' seems are way top above me. Could you explain what do you mean by "10.0.0.2-->10.0.0.1--------->Net
Netscape-->junkbuster:8080-->Whatever" ?
Do you mean just add junk ads servers to local hosts file and have them point to localhost, so requests to those severs would actually never reachto the real server, therefore effectively blocking them? I am not sure how junkbuster.com works, but I'd try to avoid using a external proxy server.

And how does your 2nd row of code work, and where or which I put the code in?

--------------------------------------------------------------------------------/*.*/((digi|fast|fp|hit|nph|smart|www)[._-]?)?count(er|web)?[0-9]*(\.[a-z]*)?(/|\?)--------------------------------------------------------------------------------

Well, I have another machine which is not on cable, which does not have any type of firewall running, would you be interested to test see if you can penetrate or not? The ip is: 216.36.126.92

UnSpawn, your correct I did misunderstand what you were getting at, but you also misunderstood what we meant in the reply, i.e you are welcome to have a look as "you" could add some constructive value. :p

Anyway,
I've given up on blocking ad's as my connection is fast enough and they are always designing ways to get you to stop blocking them, for example I stopped an ad server the other day and it decided this also meant I wasn't allowed to access the website.
"as in counter-blocking the blocker"

/Raz

Ok, the code lines are regular expression examples Junkbuster uses to show how versatile it is in comparison to the "rigid" approach of blocking IP's.

The first line you mention in your last reply was to show you could run Junkbuster in a central position (fi. on a gw) increasing efficiency by having all filter rules in one place.

The second thing, /etc/hosts, is a solution similar to ipchains filtering, it isn't a fine-grained approach Id say.

If youre interested in setting up Junkbuster for a trial Ill answer any questions you have, it shouldnt be in the sec.forum then tho, but in networking/general.

I take pen-testing your Rockstone RH(7.1?) Apache/DAV/SSL/PERL/PHP in consideration.

you could also set up Apache with mod_rewrite, and make rewrite rules to redirect incoming banner ads to an image on your local machine. This is not IP dependent, which is nice, though you can use an IP if you want. You can use a regex to identify a domain name where the banner comes from, and any space on the webpage normally taken up by the banner will now contain your local image, which saves a ton of bandwidth and is prettier than broken image files.

At that point, you would then point everyone on your network to look at Apache as a proxy. I used to do this when I shared a 56k connection and it was awesome.

Ok, thanks for the explanation and offer for help UnSpawn, at this moment, I am happy with what I have - the ipchains based firewall, unless someone can prove to me it is inefficient or penetrable. So, I probably won't try junkbuster for a while.

Yes, I confirm 216.36.126.92 is a Redhat 7.1, it has Apache running, but pretty much default installation, but with some update installed. It is not a honeypot. :D No IDS or any monitoring thing, but I might try to install something on in next few days. Currently it is sitting there idle.