From owner-freebsd-security  Sat Nov  7 03:42:24 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA22555
          for freebsd-security-outgoing; Sat, 7 Nov 1998 03:42:24 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from smtp2.globalserve.net (smtp2.globalserve.net [209.90.128.7])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA22544
          for <security@freebsd.org>; Sat, 7 Nov 1998 03:42:18 -0800 (PST)
          (envelope-from geoffr@globalserve.net)
Received: from globalserve.net (dialin847.toronto.globalserve.net [209.90.133.84])
	by smtp2.globalserve.net (8.9.1/8.9.1) with ESMTP id GAA02436;
	Sat, 7 Nov 1998 06:43:48 -0500 (EST)
Message-ID: <3643AE14.22C49D7C@globalserve.net>
Date: Fri, 06 Nov 1998 21:19:00 -0500
From: Geoffrey Robinson <geoffr@globalserve.net>
X-Mailer: Mozilla 4.03 [en] (Win95; U)
MIME-Version: 1.0
To: Hallam Oaks <mlnn4@oaks.com.au>
CC: security@FreeBSD.ORG
Subject: Re: hmmmm ... Doubleclick
References: <199811070924.UAA01040@mail.aussie.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hallam Oaks wrote:
> 
> Now I wonder why Doubleclick would do this ...
> 
> Just a few minutes ago I visited a site  which had a doubleclick ad on it,
> and my IPFW monitoring tool almost immediately started chirping at me. A
> quick look showed that two seperate IP addresses had attempted to make TCP
> connections to port 53 (DNS) of the machine that hosts my proxy. That IP
> address does NOT host any DNS server.
> 
> The two IP addresses in question were 209.67.38.88 and 199.95.207.220, both
> of which resolve to Doubleclick (nygda1 and exgd1a.doubleclick.net).
> 
> Now, I'm not suggesting that doubleclick are doing anything they shouldn't
> here, but I'm still curious as to why they would attempt to make a TCP
> connection to a non-existant DNS server, based purely on the IP address of
> someone who's viewed one of their ads (it was at the Dilbert zone BTW).
> 
> Anyone seen this before ?

Doubleclick can target banner ads by things like country, state, etc. The
only way they can this is by maintaining a database of known ISP domains
and the counties and states that the ISP services (for local dialup users).
If you hit an ad and your hostname is not in the Doubleclick database their
system will try to poll name servers and Internic to try and guess where
you are. I don't know if that's what it was but it seems most likely.

- Geoff

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message