Sign in with
Sign up | Sign in
Your question

Traffic Log-Legitimate Traffic or Data Mining???

Last response: in Networking
Share
August 8, 2004 9:36:49 PM

Archived from groups: alt.computer.security,comp.security.firewalls (More info?)

My question comes about because my Netgear router had to be exchanged for a
new unit. I was using Sygate Personal Firewall (Free) at the time, and was
receiving daily reports of others trying to scan my ports. So I downloaded
Sygate Personal Firewall Pro to enhance protection while I was without a
hardware firewall.

I quickly became interested in the Traffic Log, after learning of the
different logs (security, packet, system and traffic) that the application
offered. And I began paying careful attention to it, clearing it often
before conducting any web activities so I could see what was happening.

I now know that everytime I try to download a page from a Yahoo website with
a particular IP address (i.e. 216.109.126.22 for My Yahoo), in less than a
thousand milliseconds my computer tries to send TCP data packets to
us.a1.yimg.com (206.18.104.200), us.i1.yimg.com (12.129.72.136), and
us.news1.yimg.com (12.129.72.144). I've blocked these from going out, and
nearly all other traffic as well, establishing very narrow ranges of safe IP
addresses my software firewall will permit communication with. And that's
the tip of the iceberg. If I try to download the comic from www.dilbert.com
(65.114.4.69), my computer tries to send data packets to
adsremote.scripps.com (204.78.38.15). The list goes on and on and on; these
are just a few examples.

Now that I'm blocking these 'extraneous' data packets from being sent, the
web pages I want to see take 30 seconds to 5 minutes to download, instead of
the usual couple seconds. But they do download eventually. Which tells me
that the data packets being sent out without my permission to other IP
addresses aren't neccessary for me to see the web pages I want. Call it
paranoia, but I can only suspect that the data packets I'm blocking contain
personal data such as my browsing habits going to marketing firms and the
like. I completely erased all of the cookies I had, but this had no effect
at all. Which isn't surprising, since the same kind of behavior (unwanted
data packets going to odd IP addresses) occurs even when I visit a new
website for the first time.

So as I said, I've configured Sygate Personal Firewall with a very narrow
set of IP addresses that information can be sent or received from. I build
up the set of "good IP's" each time I try connecting to a website by looking
at the traffic log, seeing the IP that was blocked when I tried to connect
to a desired website, and then including that IP into the allowed range of
good IPs. And I'm steering clear of sites that want data packets sent to
various alternative IPs when I try to download a webpage, looking for
alternative sites for reading news and other activities.

So the key question I have is this: is there a legitimate reason why my
computer should be sending a data packet to adsremote.scripps.com
(204.78.38.15) when I try to read the daily Dilbert comic (65.114.4.69)?
Other than the initial request from my browser to download the .html file(s)
from a website, why should my browser be sending anything to anywhere else?
I'm not a programmer or networking specialist, but I would sincerely like to
know what's in those datapackets I'm blocking from leaving my computer. For
the moment I'm just building my rules of which IPs are "safe" for my
computer to communicate with, so I can visit an increasing number of
websites. But I see no reason why I should be supplying any group or
business with any data from my computer when its obviously not neccessary
for the webpage I want to download to my computer. It may be extremely
inconvenient waiting five minutes for a webpage to download, but if somebody
wants information from me they should tell me, and possibly be paying me for
it. I realize that they are providing me a service when I download a webpage
from them. But as I said, I am steering away from those websites to
alternatives that aren't mining my computer for information.

Are my assumptions in this totally wrong? Or am I right in assuming there is
no legitimate reason why I should be sending data packets anywhere other
than the IP address from which I requested the web page.
Anonymous
a b 8 Security
August 8, 2004 11:09:20 PM

Archived from groups: alt.computer.security,comp.security.firewalls (More info?)

Web sites do use browser redirects where you are viewing the context of a
Web page while the browser is being redirected to another Website for
uploading or downloading of information to or from your machine.

That's everyday life of surfing the Internet. Am I going to worry about
trying to stop everything leaving my machines, the answer is no.

I use the HOST as a prevention measure that helps stop the browser
redirects as much as possible and go on about my business and use Ad-aware
on a routine basis.

http://www.mvps.org/winhelp2002/hosts.htm
http://www.snapfiles.com/get/hoststoggle.html

I also do some security configuration of the browser as well.

Duane :) 
Anonymous
a b 8 Security
August 8, 2004 11:14:14 PM

Archived from groups: alt.computer.security,comp.security.firewalls (More info?)

"Jeff" <jeff@nospam.net> wrote in
news:QwtRc.250317$JR4.100228@attbi_s54:

> So the key question I have is this: is there a legitimate reason why
> my computer should be sending a data packet to adsremote.scripps.com
> (204.78.38.15) when I try to read the daily Dilbert comic
> (65.114.4.69)? Other than the initial request from my browser to
> download the .html file(s) from a website, why should my browser be
> sending anything to anywhere else?
>

Most freely accessible websites run some form of advertisement/banner
service. I guess you will have to live with it. This ad service may is
either run by themselves, or by specialised 3d party companies.

( you'd be amazed where CNN,FoxNews,CBS & al take you to stuff you with
ads!)

This is part of the sourcecode of www.dilbert.com:


<script language="JavaScript1.1"
src="http://adsremote.scripps.com/js.ng/site=DLBT&adtype=SUP...
ePos=1">
</script>


A simple dig reveals that www.dilbert.com is actually located at
umns1.unitedmedia.com, and that the DNS-servers are ...
ns1/2.scripps.com, belonging to the same domain as adsremote.


C:\dig>dig www.dilbert.com
;; QUESTION SECTION:
;www.dilbert.com. IN A

;; ANSWER SECTION:
www.dilbert.com. 3263 IN A 65.114.4.69

;; AUTHORITY SECTION:
dilbert.com. 3263 IN NS umns1.unitedmedia.com.
dilbert.com. 3263 IN NS ns1.scripps.com.
dilbert.com. 3263 IN NS ns2.scripps.com.

;; ADDITIONAL SECTION:
umns1.unitedmedia.com. 45917 IN A 65.114.4.10
ns1.scripps.com. 45917 IN A 204.78.32.10
ns2.scripps.com. 45917 IN A 209.215.174.32


Frankly, what you are trying to achieve is a waist of time.
It is perfectly normal/legal that a web page contains links to other
domains, after all that's what the World Wide Web is all about!

It is unfeasable to sift through each and every URL any given webpage may
contain. If you're concerned about your privacy, then use some anonymizer
service.

Finally, if you're really concerned about security, then ditch IE & OE
*now*. Even if you installed the latest patches, it will only be a matter
of time before the next security hole will surface.


--
Dirk.
No trees were killed in the creation of this message;
however, many electrons were terribly inconvenienced.
http://users.pandora.be/dirk.claessens2
Related resources
August 9, 2004 12:29:22 AM

Archived from groups: alt.computer.security,comp.security.firewalls (More info?)

I already use Avant browser. I disable Active X and Flash animations, but I
still typically allow scripts to run and applets. Ad Blocker and Popup
Stopper are also running. But if the packets being sent from my computer
are the result of browser redirects, why doesn't my traffic log show an
incoming packet from either the original IP I wanted, or from the IP of the
redirect? Maybe I don't understand the exact nature of the traffic log.
When I tried to work with the Packet Log, it usually hung up and I would
have to use the Task Manager to terminate it. The packet log just
accumulated too much data too quickly, and the Sygate app wasn't very good
at resorting the log so that you could investigate it by reorganizing the
list by remote host or some other parameter you wanted to sort by. I reset
the Packet Log size liit to a much smaller value of perhaps 512 kB, but
haven't tried opening it since. Maybe I should watch it at the same time as
the Traffic Log.

How would an Anonymizer protect the information they are capturing? I can
always go through an anonymous proxy - I have a list and a utility for
switching between my direct connection and any of the anonymous public
proxies I pick up IPs for. But that doesn't change the fact that the
packets are coming from my computer, even if they don't have my IP. There
may still be personal information in the data packet, even though its not
coming from my IP anymore. I'd feel better if I could intercept this
information and see what was contained there. But that is beyond my realm of
knowledge at this time.

And I don't understand exactly how a HOSTS file will protect me from this.
I can sift through my HOSTS file, but I doubt it contains any of the URLs
I'm trying to avoid sending packets to. The Avant browser already has a
rather comprehensive Ad and popup blacklist, which is updated with each
revision of the browser. The last build just came out about two weeks ago.

So as I say, without knowing whats in those packets trying to be sent from
my computer, I'm going to keep blocking them from leaving. My question
remains the same - is this legitimate traffic going from my computer, or are
they data mining my computer without telling me? The traffic log gives the
domain names as well as the IPs of the remote hosts, and some of them have
been pretty wacky.

Thanks for your time.



"Dirk Claessens" <will.bounce@invalid> wrote in message
news:Xns953FD80977885FlyingCircus@195.130.132.70...
> "Jeff" <jeff@nospam.net> wrote in
> news:QwtRc.250317$JR4.100228@attbi_s54:
>
> > So the key question I have is this: is there a legitimate reason why
> > my computer should be sending a data packet to adsremote.scripps.com
> > (204.78.38.15) when I try to read the daily Dilbert comic
> > (65.114.4.69)? Other than the initial request from my browser to
> > download the .html file(s) from a website, why should my browser be
> > sending anything to anywhere else?
> >
>
> Most freely accessible websites run some form of advertisement/banner
> service. I guess you will have to live with it. This ad service may is
> either run by themselves, or by specialised 3d party companies.
>
> ( you'd be amazed where CNN,FoxNews,CBS & al take you to stuff you with
> ads!)
>
> This is part of the sourcecode of www.dilbert.com:
>
>
> <script language="JavaScript1.1"
> src="http://adsremote.scripps.com/js.ng/site=DLBT&adtype=SUP...
> ePos=1">
> </script>
>
>
> A simple dig reveals that www.dilbert.com is actually located at
> umns1.unitedmedia.com, and that the DNS-servers are ...
> ns1/2.scripps.com, belonging to the same domain as adsremote.
>
>
> C:\dig>dig www.dilbert.com
> ;; QUESTION SECTION:
> ;www.dilbert.com. IN A
>
> ;; ANSWER SECTION:
> www.dilbert.com. 3263 IN A 65.114.4.69
>
> ;; AUTHORITY SECTION:
> dilbert.com. 3263 IN NS umns1.unitedmedia.com.
> dilbert.com. 3263 IN NS ns1.scripps.com.
> dilbert.com. 3263 IN NS ns2.scripps.com.
>
> ;; ADDITIONAL SECTION:
> umns1.unitedmedia.com. 45917 IN A 65.114.4.10
> ns1.scripps.com. 45917 IN A 204.78.32.10
> ns2.scripps.com. 45917 IN A 209.215.174.32
>
>
> Frankly, what you are trying to achieve is a waist of time.
> It is perfectly normal/legal that a web page contains links to other
> domains, after all that's what the World Wide Web is all about!
>
> It is unfeasable to sift through each and every URL any given webpage may
> contain. If you're concerned about your privacy, then use some anonymizer
> service.
>
> Finally, if you're really concerned about security, then ditch IE & OE
> *now*. Even if you installed the latest patches, it will only be a matter
> of time before the next security hole will surface.
>
>
> --
> Dirk.
> No trees were killed in the creation of this message;
> however, many electrons were terribly inconvenienced.
> http://users.pandora.be/dirk.claessens2
Anonymous
a b 8 Security
August 9, 2004 12:56:15 AM

Archived from groups: alt.computer.security,comp.security.firewalls (More info?)

You're sitting there with a Netgear router that has logging and you're
using Sygate?

May I suggest that you use Kwiw SysLog Daemon and dump the daily logs
into a database like MS Access through ODBC and you can run Access
reports and get a better picture as to what the router is seeing for
inbound and outbound traffic to/from the router.

There are Websites that have Host file updates and you yourself can add a
Domain Name to the Host file using 127.0.0.1 the Loopback IP.

Not only does the Host file with an Domain Name pointing to the Loopback
IP stop the browser from being redirected, but it will also stop malware
that doesn't need the browser (running as a background process) from
making contact with a site when the malware using a URL in program code
tries to do a DNS lookup to resolve the IP. If the Host file is in play,
then the O/S goes to the Host file to resolve it which has the Loopback
IP instead of going to the ISP to resolve the URL to IP and making
contact with the site.

Duane :) 
August 9, 2004 1:03:23 AM

Archived from groups: alt.computer.security,comp.security.firewalls (More info?)

In article <QwtRc.250317$JR4.100228@attbi_s54>, jeff@nospam.net says...
> My question comes about because my Netgear router had to be exchanged for a
> new unit. I was using Sygate Personal Firewall (Free) at the time, and was
> receiving daily reports of others trying to scan my ports. So I downloaded
> Sygate Personal Firewall Pro to enhance protection while I was without a
> hardware firewall.
>
> I quickly became interested in the Traffic Log, after learning of the
> different logs (security, packet, system and traffic) that the application
> offered. And I began paying careful attention to it, clearing it often
> before conducting any web activities so I could see what was happening.
>
> I now know that everytime I try to download a page from a Yahoo website with
> a particular IP address (i.e. 216.109.126.22 for My Yahoo), in less than a
> thousand milliseconds my computer tries to send TCP data packets to
> us.a1.yimg.com (206.18.104.200), us.i1.yimg.com (12.129.72.136), and
> us.news1.yimg.com (12.129.72.144). I've blocked these from going out, and
> nearly all other traffic as well, establishing very narrow ranges of safe IP
> addresses my software firewall will permit communication with. And that's
> the tip of the iceberg. If I try to download the comic from www.dilbert.com
> (65.114.4.69), my computer tries to send data packets to
> adsremote.scripps.com (204.78.38.15). The list goes on and on and on; these
> are just a few examples.
>
> Now that I'm blocking these 'extraneous' data packets from being sent, the
> web pages I want to see take 30 seconds to 5 minutes to download, instead of
> the usual couple seconds. But they do download eventually. Which tells me
> that the data packets being sent out without my permission to other IP
> addresses aren't neccessary for me to see the web pages I want. Call it
> paranoia, but I can only suspect that the data packets I'm blocking contain
> personal data such as my browsing habits going to marketing firms and the
> like. I completely erased all of the cookies I had, but this had no effect
> at all. Which isn't surprising, since the same kind of behavior (unwanted
> data packets going to odd IP addresses) occurs even when I visit a new
> website for the first time.
>
> So as I said, I've configured Sygate Personal Firewall with a very narrow
> set of IP addresses that information can be sent or received from. I build
> up the set of "good IP's" each time I try connecting to a website by looking
> at the traffic log, seeing the IP that was blocked when I tried to connect
> to a desired website, and then including that IP into the allowed range of
> good IPs. And I'm steering clear of sites that want data packets sent to
> various alternative IPs when I try to download a webpage, looking for
> alternative sites for reading news and other activities.
>
> So the key question I have is this: is there a legitimate reason why my
> computer should be sending a data packet to adsremote.scripps.com
> (204.78.38.15) when I try to read the daily Dilbert comic (65.114.4.69)?
> Other than the initial request from my browser to download the .html file(s)
> from a website, why should my browser be sending anything to anywhere else?
> I'm not a programmer or networking specialist, but I would sincerely like to
> know what's in those datapackets I'm blocking from leaving my computer. For
> the moment I'm just building my rules of which IPs are "safe" for my
> computer to communicate with, so I can visit an increasing number of
> websites. But I see no reason why I should be supplying any group or
> business with any data from my computer when its obviously not neccessary
> for the webpage I want to download to my computer. It may be extremely
> inconvenient waiting five minutes for a webpage to download, but if somebody
> wants information from me they should tell me, and possibly be paying me for
> it. I realize that they are providing me a service when I download a webpage
> from them. But as I said, I am steering away from those websites to
> alternatives that aren't mining my computer for information.
>
> Are my assumptions in this totally wrong? Or am I right in assuming there is
> no legitimate reason why I should be sending data packets anywhere other
> than the IP address from which I requested the web page.
>
>
>
I don't think you need to worry about these redirects (if thats what
they are). Many web pages that has advertising us this as a source
for the ads. Also, much of the free software that has advertising
use this. When using free Opera browser for example, you will find:

cdn1.adsdk.com
opera1-servedby.advertising.com
ins1.opera.com
ins2.opera.com
tribalfusion.com
a.tribalfusion.com
pagead-us.googlesyndication.com

Sygate logging is excellent. Without it, you really don't know
whats going on with the in/out of your computer. I look at the
traffic log daily.
Anonymous
a b 8 Security
August 9, 2004 7:30:53 AM

Archived from groups: alt.computer.security,comp.security.firewalls (More info?)

"Jeff" <jeff@nospam.net> wrote in
news:A6BRc.252725$JR4.130507@attbi_s54:

> I d/l all the Kiwi software, daemon, logger, MIB, viewer. I followed
> the setup instructions on the Kiwi site for other Netgear routers
> since my own wasn't listed. Then I found out that my Netgear router
> MR814 v2 won't generate security logs. The only log files it
> generates are attempts to visit blocked sites.
>
>

The next router you puchase you should make sure it can do logging.

Duane :) 
!