Date: Fri, 06 Nov 1998 21:19:00 -0500 From: Geoffrey Robinson <geoffr@globalserve.net> To: Hallam Oaks <mlnn4@oaks.com.au> Cc: security@FreeBSD.ORG Subject: Re: hmmmm ... Doubleclick Message-ID: <3643AE14.22C49D7C@globalserve.net> References: <199811070924.UAA01040@mail.aussie.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hallam Oaks wrote: > > Now I wonder why Doubleclick would do this ... > > Just a few minutes ago I visited a site which had a doubleclick ad on it, > and my IPFW monitoring tool almost immediately started chirping at me. A > quick look showed that two seperate IP addresses had attempted to make TCP > connections to port 53 (DNS) of the machine that hosts my proxy. That IP > address does NOT host any DNS server. > > The two IP addresses in question were 209.67.38.88 and 199.95.207.220, both > of which resolve to Doubleclick (nygda1 and exgd1a.doubleclick.net). > > Now, I'm not suggesting that doubleclick are doing anything they shouldn't > here, but I'm still curious as to why they would attempt to make a TCP > connection to a non-existant DNS server, based purely on the IP address of > someone who's viewed one of their ads (it was at the Dilbert zone BTW). > > Anyone seen this before ? Doubleclick can target banner ads by things like country, state, etc. The only way they can this is by maintaining a database of known ISP domains and the counties and states that the ISP services (for local dialup users). If you hit an ad and your hostname is not in the Doubleclick database their system will try to poll name servers and Internic to try and guess where you are. I don't know if that's what it was but it seems most likely. - Geoff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3643AE14.22C49D7C>