Howdy all,
Sorry I've been so quiet as of late. Been wrapped up in a number of side
projects.
I've had a number of people/clients querying me as to what they can do
about DoubleClick ads as well as information that is submitted to them
by different sites on the wire. Thought I would post the results here
for anyone who is interested. If you are not sure what I'm talking
about, let me digress for a moment.
Here's a great test. Try the following:
go to http://www.altavista.com
enter in some search parameters
sniff your workstation's connection
Hit the "Search" button
What you will see is pretty interesting. Your search parameters will be
submitted back to Altivista. You will also see a unique connection get
generated to http://ad.doubleclick.net/ and your search parameters will
be submitted there as well. The full log entry will look something like
this:
[Sat Dec 18 23:36:04 1999]
http://ad.doubleclick.net/adi/altivista.digital.com/result_front;kw=your+search+words;cat=stext;ord=1834078127
So Altivista if forcing your browser to connect to DoubleClick and let
them know what you are searching for. Kind of "Big Brother" if you ask
me. Also, what's this "ord" field append to the end??? Hummm...
I received a great post from an individual who has done some wonderful
work in this area. I will keep the poster anonymous unless they ask me
to post their name. A clip from their e-mail is as followed:
>In fact, the ord= value includes the altavista's cookie. Using my
>running junkbuster proxy, I asked to search for "doubleclick bait" and
>altavista issued me this cookie:
>
>www.altavista.com AV_UID=48a3; expires=Friday, 31-Dec-99 12:00:00 GMT; path=/;
>domain=.altavista.com;
>
>and the reply page included two image/link pairs pointing to:
>
>http://ad.doubleclick.net/ad/altavista.digital.com/result_front;kw=doubleclick+bait;ord=1397269248
>
>Now, if you convert 1397269248 to hex, you get:
>
>% perl -e 'printf "%x\n", 1397269248;'
>5348a300
>
>which includes the substring 48a3 from the AltaVista cookie. This
>isn't a coincidence, since I have verified the same pattern several
>times in the past. Although recent IDs have been short (as in
>"48a3"), older ones were longer and adopted some minimal
>byte-rearranging, perhaps in the hope that no-one would notice.
This is just one example. The poster included many others. Suffice to
say that it appears the "ord" value and your AltiVista cookie are
related.
So what good does this do DoubleClick? Check this link:
http://mail.altavista.com/
If you get e-mail though AltiVista they now have lots of info to
associate with your cookie ID. I'm _not_ saying they do anything with
the info, just that its available. AV offers a number of other services
you can "register" for as well. ;)
You may also want to have a look see at:
http://doc.altavista.com/legal/privacy.shtml
which is AV's privacy statement. Note that there is no mention of
forwarding your search and cookie info to DoubleClick. In fact, the
first line item is pretty funny: "We pledge that AltaVista will not use
information about you without your permission.". ;)
I know I sound like I'm picking on AltaVista, but in fact there are many
other sites that do exactly the same thing. The above is only an
example.
So what to do about it?
The first reaction is to simply block all access to DoubleClick's
network. This will prevent your internal systems from being able to
connect to DoubleClick's servers and forward the above mentioned info.
Of course the problem here is that many modern browsers (IE 5 for
example) break when you do this displaying a page stating that the
destination site could not be reached. This results is users complaining
when ever they can not access a site which redirects traffic to
DoubleClick.
I found a slick way to get around this problem. On your internal DNS,
simply setup an authoritative record for the doubleclick.net domain.
Then add a single "A" record that points "ad.doubleclick.net" at a local
Web server.
The results are pretty cool. Local users receiving the above redirection
will be sent to this Web server. No more info getting forward to
DoubleClick. The bonus is that the client's are unable to pull down ads,
thus resulting in reduced bandwidth utilization on your Internet link.
Its amazing how much faster the Dilbert homepage downloads when you
filter out all the ads. ;)
I've even rolled this out at an ISP with no problems in connectivity.
The only "issue" is if you organization really wants to be able to
communicate with DoubleClick. If so, the above fix will break that
connection.
Hope people find this helpful,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
