Traffic Log-Legitimate Traffic or Data Mining???

Discussion in 'Computer Security' started by Jeff, Aug 8, 2004.

  1. Jeff

    Jeff Guest

    My question comes about because my Netgear router had to be exchanged for a
    new unit. I was using Sygate Personal Firewall (Free) at the time, and was
    receiving daily reports of others trying to scan my ports. So I downloaded
    Sygate Personal Firewall Pro to enhance protection while I was without a
    hardware firewall.

    I quickly became interested in the Traffic Log, after learning of the
    different logs (security, packet, system and traffic) that the application
    offered. And I began paying careful attention to it, clearing it often
    before conducting any web activities so I could see what was happening.

    I now know that everytime I try to download a page from a Yahoo website with
    a particular IP address (i.e. 216.109.126.22 for My Yahoo), in less than a
    thousand milliseconds my computer tries to send TCP data packets to
    us.a1.yimg.com (206.18.104.200), us.i1.yimg.com (12.129.72.136), and
    us.news1.yimg.com (12.129.72.144). I've blocked these from going out, and
    nearly all other traffic as well, establishing very narrow ranges of safe IP
    addresses my software firewall will permit communication with. And that's
    the tip of the iceberg. If I try to download the comic from www.dilbert.com
    (65.114.4.69), my computer tries to send data packets to
    adsremote.scripps.com (204.78.38.15). The list goes on and on and on; these
    are just a few examples.

    Now that I'm blocking these 'extraneous' data packets from being sent, the
    web pages I want to see take 30 seconds to 5 minutes to download, instead of
    the usual couple seconds. But they do download eventually. Which tells me
    that the data packets being sent out without my permission to other IP
    addresses aren't neccessary for me to see the web pages I want. Call it
    paranoia, but I can only suspect that the data packets I'm blocking contain
    personal data such as my browsing habits going to marketing firms and the
    like. I completely erased all of the cookies I had, but this had no effect
    at all. Which isn't surprising, since the same kind of behavior (unwanted
    data packets going to odd IP addresses) occurs even when I visit a new
    website for the first time.

    So as I said, I've configured Sygate Personal Firewall with a very narrow
    set of IP addresses that information can be sent or received from. I build
    up the set of "good IP's" each time I try connecting to a website by looking
    at the traffic log, seeing the IP that was blocked when I tried to connect
    to a desired website, and then including that IP into the allowed range of
    good IPs. And I'm steering clear of sites that want data packets sent to
    various alternative IPs when I try to download a webpage, looking for
    alternative sites for reading news and other activities.

    So the key question I have is this: is there a legitimate reason why my
    computer should be sending a data packet to adsremote.scripps.com
    (204.78.38.15) when I try to read the daily Dilbert comic (65.114.4.69)?
    Other than the initial request from my browser to download the .html file(s)
    from a website, why should my browser be sending anything to anywhere else?
    I'm not a programmer or networking specialist, but I would sincerely like to
    know what's in those datapackets I'm blocking from leaving my computer. For
    the moment I'm just building my rules of which IPs are "safe" for my
    computer to communicate with, so I can visit an increasing number of
    websites. But I see no reason why I should be supplying any group or
    business with any data from my computer when its obviously not neccessary
    for the webpage I want to download to my computer. It may be extremely
    inconvenient waiting five minutes for a webpage to download, but if somebody
    wants information from me they should tell me, and possibly be paying me for
    it. I realize that they are providing me a service when I download a webpage
    from them. But as I said, I am steering away from those websites to
    alternatives that aren't mining my computer for information.

    Are my assumptions in this totally wrong? Or am I right in assuming there is
    no legitimate reason why I should be sending data packets anywhere other
    than the IP address from which I requested the web page.
     
    Jeff, Aug 8, 2004
    #1
    1. Advertising

  2. Jeff

    Duane Arnold Guest

    Web sites do use browser redirects where you are viewing the context of a
    Web page while the browser is being redirected to another Website for
    uploading or downloading of information to or from your machine.

    That's everyday life of surfing the Internet. Am I going to worry about
    trying to stop everything leaving my machines, the answer is no.

    I use the HOST as a prevention measure that helps stop the browser
    redirects as much as possible and go on about my business and use Ad-aware
    on a routine basis.

    http://www.mvps.org/winhelp2002/hosts.htm
    http://www.snapfiles.com/get/hoststoggle.html

    I also do some security configuration of the browser as well.

    Duane :)
     
    Duane Arnold, Aug 8, 2004
    #2
    1. Advertising

  3. "Jeff" <> wrote in
    news:QwtRc.250317$JR4.100228@attbi_s54:

    > So the key question I have is this: is there a legitimate reason why
    > my computer should be sending a data packet to adsremote.scripps.com
    > (204.78.38.15) when I try to read the daily Dilbert comic
    > (65.114.4.69)? Other than the initial request from my browser to
    > download the .html file(s) from a website, why should my browser be
    > sending anything to anywhere else?
    >


    Most freely accessible websites run some form of advertisement/banner
    service. I guess you will have to live with it. This ad service may is
    either run by themselves, or by specialised 3d party companies.

    ( you'd be amazed where CNN,FoxNews,CBS & al take you to stuff you with
    ads!)

    This is part of the sourcecode of www.dilbert.com:


    <script language="JavaScript1.1"
    src="http://adsremote.scripps.com/js.ng/site=DLBT&adtype=SUPERSTITIAL&Pag
    ePos=1">
    </script>


    A simple dig reveals that www.dilbert.com is actually located at
    umns1.unitedmedia.com, and that the DNS-servers are ...
    ns1/2.scripps.com, belonging to the same domain as adsremote.


    C:\dig>dig www.dilbert.com
    ;; QUESTION SECTION:
    ;www.dilbert.com. IN A

    ;; ANSWER SECTION:
    www.dilbert.com. 3263 IN A 65.114.4.69

    ;; AUTHORITY SECTION:
    dilbert.com. 3263 IN NS umns1.unitedmedia.com.
    dilbert.com. 3263 IN NS ns1.scripps.com.
    dilbert.com. 3263 IN NS ns2.scripps.com.

    ;; ADDITIONAL SECTION:
    umns1.unitedmedia.com. 45917 IN A 65.114.4.10
    ns1.scripps.com. 45917 IN A 204.78.32.10
    ns2.scripps.com. 45917 IN A 209.215.174.32


    Frankly, what you are trying to achieve is a waist of time.
    It is perfectly normal/legal that a web page contains links to other
    domains, after all that's what the World Wide Web is all about!

    It is unfeasable to sift through each and every URL any given webpage may
    contain. If you're concerned about your privacy, then use some anonymizer
    service.

    Finally, if you're really concerned about security, then ditch IE & OE
    *now*. Even if you installed the latest patches, it will only be a matter
    of time before the next security hole will surface.


    --
    Dirk.
    No trees were killed in the creation of this message;
    however, many electrons were terribly inconvenienced.
    http://users.pandora.be/dirk.claessens2
     
    Dirk Claessens, Aug 8, 2004
    #3
  4. Jeff

    Jeff Guest

    I already use Avant browser. I disable Active X and Flash animations, but I
    still typically allow scripts to run and applets. Ad Blocker and Popup
    Stopper are also running. But if the packets being sent from my computer
    are the result of browser redirects, why doesn't my traffic log show an
    incoming packet from either the original IP I wanted, or from the IP of the
    redirect? Maybe I don't understand the exact nature of the traffic log.
    When I tried to work with the Packet Log, it usually hung up and I would
    have to use the Task Manager to terminate it. The packet log just
    accumulated too much data too quickly, and the Sygate app wasn't very good
    at resorting the log so that you could investigate it by reorganizing the
    list by remote host or some other parameter you wanted to sort by. I reset
    the Packet Log size liit to a much smaller value of perhaps 512 kB, but
    haven't tried opening it since. Maybe I should watch it at the same time as
    the Traffic Log.

    How would an Anonymizer protect the information they are capturing? I can
    always go through an anonymous proxy - I have a list and a utility for
    switching between my direct connection and any of the anonymous public
    proxies I pick up IPs for. But that doesn't change the fact that the
    packets are coming from my computer, even if they don't have my IP. There
    may still be personal information in the data packet, even though its not
    coming from my IP anymore. I'd feel better if I could intercept this
    information and see what was contained there. But that is beyond my realm of
    knowledge at this time.

    And I don't understand exactly how a HOSTS file will protect me from this.
    I can sift through my HOSTS file, but I doubt it contains any of the URLs
    I'm trying to avoid sending packets to. The Avant browser already has a
    rather comprehensive Ad and popup blacklist, which is updated with each
    revision of the browser. The last build just came out about two weeks ago.

    So as I say, without knowing whats in those packets trying to be sent from
    my computer, I'm going to keep blocking them from leaving. My question
    remains the same - is this legitimate traffic going from my computer, or are
    they data mining my computer without telling me? The traffic log gives the
    domain names as well as the IPs of the remote hosts, and some of them have
    been pretty wacky.

    Thanks for your time.



    "Dirk Claessens" <will.bounce@invalid> wrote in message
    news:Xns953FD80977885FlyingCircus@195.130.132.70...
    > "Jeff" <> wrote in
    > news:QwtRc.250317$JR4.100228@attbi_s54:
    >
    > > So the key question I have is this: is there a legitimate reason why
    > > my computer should be sending a data packet to adsremote.scripps.com
    > > (204.78.38.15) when I try to read the daily Dilbert comic
    > > (65.114.4.69)? Other than the initial request from my browser to
    > > download the .html file(s) from a website, why should my browser be
    > > sending anything to anywhere else?
    > >

    >
    > Most freely accessible websites run some form of advertisement/banner
    > service. I guess you will have to live with it. This ad service may is
    > either run by themselves, or by specialised 3d party companies.
    >
    > ( you'd be amazed where CNN,FoxNews,CBS & al take you to stuff you with
    > ads!)
    >
    > This is part of the sourcecode of www.dilbert.com:
    >
    >
    > <script language="JavaScript1.1"
    > src="http://adsremote.scripps.com/js.ng/site=DLBT&adtype=SUPERSTITIAL&Pag
    > ePos=1">
    > </script>
    >
    >
    > A simple dig reveals that www.dilbert.com is actually located at
    > umns1.unitedmedia.com, and that the DNS-servers are ...
    > ns1/2.scripps.com, belonging to the same domain as adsremote.
    >
    >
    > C:\dig>dig www.dilbert.com
    > ;; QUESTION SECTION:
    > ;www.dilbert.com. IN A
    >
    > ;; ANSWER SECTION:
    > www.dilbert.com. 3263 IN A 65.114.4.69
    >
    > ;; AUTHORITY SECTION:
    > dilbert.com. 3263 IN NS umns1.unitedmedia.com.
    > dilbert.com. 3263 IN NS ns1.scripps.com.
    > dilbert.com. 3263 IN NS ns2.scripps.com.
    >
    > ;; ADDITIONAL SECTION:
    > umns1.unitedmedia.com. 45917 IN A 65.114.4.10
    > ns1.scripps.com. 45917 IN A 204.78.32.10
    > ns2.scripps.com. 45917 IN A 209.215.174.32
    >
    >
    > Frankly, what you are trying to achieve is a waist of time.
    > It is perfectly normal/legal that a web page contains links to other
    > domains, after all that's what the World Wide Web is all about!
    >
    > It is unfeasable to sift through each and every URL any given webpage may
    > contain. If you're concerned about your privacy, then use some anonymizer
    > service.
    >
    > Finally, if you're really concerned about security, then ditch IE & OE
    > *now*. Even if you installed the latest patches, it will only be a matter
    > of time before the next security hole will surface.
    >
    >
    > --
    > Dirk.
    > No trees were killed in the creation of this message;
    > however, many electrons were terribly inconvenienced.
    > http://users.pandora.be/dirk.claessens2
     
    Jeff, Aug 8, 2004
    #4
  5. Jeff

    Duane Arnold Guest

    You're sitting there with a Netgear router that has logging and you're
    using Sygate?

    May I suggest that you use Kwiw SysLog Daemon and dump the daily logs
    into a database like MS Access through ODBC and you can run Access
    reports and get a better picture as to what the router is seeing for
    inbound and outbound traffic to/from the router.

    There are Websites that have Host file updates and you yourself can add a
    Domain Name to the Host file using 127.0.0.1 the Loopback IP.

    Not only does the Host file with an Domain Name pointing to the Loopback
    IP stop the browser from being redirected, but it will also stop malware
    that doesn't need the browser (running as a background process) from
    making contact with a site when the malware using a URL in program code
    tries to do a DNS lookup to resolve the IP. If the Host file is in play,
    then the O/S goes to the Host file to resolve it which has the Loopback
    IP instead of going to the ISP to resolve the URL to IP and making
    contact with the site.

    Duane :)
     
    Duane Arnold, Aug 8, 2004
    #5
  6. Jeff

    Casey Guest

    In article <QwtRc.250317$JR4.100228@attbi_s54>, says...
    > My question comes about because my Netgear router had to be exchanged for a
    > new unit. I was using Sygate Personal Firewall (Free) at the time, and was
    > receiving daily reports of others trying to scan my ports. So I downloaded
    > Sygate Personal Firewall Pro to enhance protection while I was without a
    > hardware firewall.
    >
    > I quickly became interested in the Traffic Log, after learning of the
    > different logs (security, packet, system and traffic) that the application
    > offered. And I began paying careful attention to it, clearing it often
    > before conducting any web activities so I could see what was happening.
    >
    > I now know that everytime I try to download a page from a Yahoo website with
    > a particular IP address (i.e. 216.109.126.22 for My Yahoo), in less than a
    > thousand milliseconds my computer tries to send TCP data packets to
    > us.a1.yimg.com (206.18.104.200), us.i1.yimg.com (12.129.72.136), and
    > us.news1.yimg.com (12.129.72.144). I've blocked these from going out, and
    > nearly all other traffic as well, establishing very narrow ranges of safe IP
    > addresses my software firewall will permit communication with. And that's
    > the tip of the iceberg. If I try to download the comic from www.dilbert.com
    > (65.114.4.69), my computer tries to send data packets to
    > adsremote.scripps.com (204.78.38.15). The list goes on and on and on; these
    > are just a few examples.
    >
    > Now that I'm blocking these 'extraneous' data packets from being sent, the
    > web pages I want to see take 30 seconds to 5 minutes to download, instead of
    > the usual couple seconds. But they do download eventually. Which tells me
    > that the data packets being sent out without my permission to other IP
    > addresses aren't neccessary for me to see the web pages I want. Call it
    > paranoia, but I can only suspect that the data packets I'm blocking contain
    > personal data such as my browsing habits going to marketing firms and the
    > like. I completely erased all of the cookies I had, but this had no effect
    > at all. Which isn't surprising, since the same kind of behavior (unwanted
    > data packets going to odd IP addresses) occurs even when I visit a new
    > website for the first time.
    >
    > So as I said, I've configured Sygate Personal Firewall with a very narrow
    > set of IP addresses that information can be sent or received from. I build
    > up the set of "good IP's" each time I try connecting to a website by looking
    > at the traffic log, seeing the IP that was blocked when I tried to connect
    > to a desired website, and then including that IP into the allowed range of
    > good IPs. And I'm steering clear of sites that want data packets sent to
    > various alternative IPs when I try to download a webpage, looking for
    > alternative sites for reading news and other activities.
    >
    > So the key question I have is this: is there a legitimate reason why my
    > computer should be sending a data packet to adsremote.scripps.com
    > (204.78.38.15) when I try to read the daily Dilbert comic (65.114.4.69)?
    > Other than the initial request from my browser to download the .html file(s)
    > from a website, why should my browser be sending anything to anywhere else?
    > I'm not a programmer or networking specialist, but I would sincerely like to
    > know what's in those datapackets I'm blocking from leaving my computer. For
    > the moment I'm just building my rules of which IPs are "safe" for my
    > computer to communicate with, so I can visit an increasing number of
    > websites. But I see no reason why I should be supplying any group or
    > business with any data from my computer when its obviously not neccessary
    > for the webpage I want to download to my computer. It may be extremely
    > inconvenient waiting five minutes for a webpage to download, but if somebody
    > wants information from me they should tell me, and possibly be paying me for
    > it. I realize that they are providing me a service when I download a webpage
    > from them. But as I said, I am steering away from those websites to
    > alternatives that aren't mining my computer for information.
    >
    > Are my assumptions in this totally wrong? Or am I right in assuming there is
    > no legitimate reason why I should be sending data packets anywhere other
    > than the IP address from which I requested the web page.
    >
    >
    >

    I don't think you need to worry about these redirects (if thats what
    they are). Many web pages that has advertising us this as a source
    for the ads. Also, much of the free software that has advertising
    use this. When using free Opera browser for example, you will find:

    cdn1.adsdk.com
    opera1-servedby.advertising.com
    ins1.opera.com
    ins2.opera.com
    tribalfusion.com
    a.tribalfusion.com
    pagead-us.googlesyndication.com

    Sygate logging is excellent. Without it, you really don't know
    whats going on with the in/out of your computer. I look at the
    traffic log daily.
     
    Casey, Aug 8, 2004
    #6
  7. Duane Arnold wrote:

    > Not only does the Host file with an Domain Name pointing to the Loopback
    > IP stop the browser from being redirected, but it will also stop malware
    > that doesn't need the browser (running as a background process) from
    > making contact with a site when the malware using a URL in program code
    > tries to do a DNS lookup to resolve the IP.


    Pseudo-security by obscurity. Malware authors cannot be relied upon to use
    the DNS instead of hard-coded IP addresses.

    Thor

    --
    http://www.anta.net/
     
    Thor Kottelin, Aug 8, 2004
    #7
  8. Jeff

    Casey Guest

    Casey, Aug 8, 2004
    #8
  9. Jeff

    Duane Arnold Guest

    Thor Kottelin <> wrote in news::

    >
    >
    > Duane Arnold wrote:
    >
    >> Not only does the Host file with an Domain Name pointing to the
    >> Loopback IP stop the browser from being redirected, but it will also
    >> stop malware that doesn't need the browser (running as a background
    >> process) from making contact with a site when the malware using a URL
    >> in program code tries to do a DNS lookup to resolve the IP.

    >
    > Pseudo-security by obscurity. Malware authors cannot be relied upon to
    > use the DNS instead of hard-coded IP addresses.


    The more hard core programmer of course not, but I am a lazy programmer
    that will take the easy way out by just coding in the URL in code as do
    many I would suspect. I have done a little malware testing using IPsec
    and using its DNS rule feature to block access by the browser to a site
    along with it stopping the back ground process as well.

    I will say that I am not an authority in writing malware programs either.

    The Host is not a stop all ends all solution but it does help in a
    limited capacity from a home user stand point, IMHO.

    Duane :)
     
    Duane Arnold, Aug 8, 2004
    #9
  10. Jeff

    Jeff Guest

    I d/l all the Kiwi software, daemon, logger, MIB, viewer. I followed the
    setup instructions on the Kiwi site for other Netgear routers since my own
    wasn't listed. Then I found out that my Netgear router MR814 v2 won't
    generate security logs. The only log files it generates are attempts to
    visit blocked sites.


    "Duane Arnold" <> wrote in message
    news:Xns953FA21E6CBD6notmenotmecom@204.127.204.17...
    > You're sitting there with a Netgear router that has logging and you're
    > using Sygate?
    >
    > May I suggest that you use Kwiw SysLog Daemon and dump the daily logs
    > into a database like MS Access through ODBC and you can run Access
    > reports and get a better picture as to what the router is seeing for
    > inbound and outbound traffic to/from the router.
    >
    > There are Websites that have Host file updates and you yourself can add a
    > Domain Name to the Host file using 127.0.0.1 the Loopback IP.
    >
    > Not only does the Host file with an Domain Name pointing to the Loopback
    > IP stop the browser from being redirected, but it will also stop malware
    > that doesn't need the browser (running as a background process) from
    > making contact with a site when the malware using a URL in program code
    > tries to do a DNS lookup to resolve the IP. If the Host file is in play,
    > then the O/S goes to the Host file to resolve it which has the Loopback
    > IP instead of going to the ISP to resolve the URL to IP and making
    > contact with the site.
    >
    > Duane :)
    >
    >
     
    Jeff, Aug 9, 2004
    #10
  11. Jeff

    Duane Arnold Guest

    "Jeff" <> wrote in
    news:A6BRc.252725$JR4.130507@attbi_s54:

    > I d/l all the Kiwi software, daemon, logger, MIB, viewer. I followed
    > the setup instructions on the Kiwi site for other Netgear routers
    > since my own wasn't listed. Then I found out that my Netgear router
    > MR814 v2 won't generate security logs. The only log files it
    > generates are attempts to visit blocked sites.
    >
    >


    The next router you puchase you should make sure it can do logging.

    Duane :)
     
    Duane Arnold, Aug 9, 2004
    #11
  12. Jeff

    Mike Guest

    09Aug2004
    Most web sites embed links to other web sites. This link describes what
    happens when you load a page.
    http://www.surferprotectionprogram.com/Proxy/DOCS/user_manual/user_manual.ht
    m#qstart_whathappens
    (Note that you may have to concatenate the url listed above. It starts with
    "http" and ends with "whathappens".)

    The reason your pages are now taking so long is that you have stopped
    portions of the pages from loading. These portions must timeout before the
    page finishes loading. For the dilbert example, you need to allow the sites
    that begin with:

    http://adsremote.scripps.com/html.ng/
    and
    http://adsremote.scripps.com/js.ng/

    If you a allow these urls, they will load then tell the browser to go get a
    page from
    http://adfarm.mediaplex.com/ad/
    This page you want to block.

    It helps to have a tool that can show you all of the pages that load when
    you load www.dilbert.com. The http proxy from the manual above lets you use
    regular expressions to block sites and to permit sites. It turns out, there
    are just a handful of patterns required to efficiently block advertisers and
    fewer patterns that must be allowed. There is no standard, it just happens
    that everyone uses similar naming conventions. In dilbert, the /html.ng/
    pattern is permitted, but the /ad/ pattern is blocked. When using the http
    proxy, even though you permit hte /html.ng/, the proxy strips several tags
    out of the outinging http request - so your privacy is maintained.

    Two nice things about using an http proxy:
    1. all of your http tools can be directed to us it, not just your
    browser.
    2. once you start blocking advertisers, most of the pop-ups stop
    appearing.


    "Jeff" <> wrote in message
    news:QwtRc.250317$JR4.100228@attbi_s54...
    <deleted>
    >If I try to download the comic from www.dilbert.com
    > (65.114.4.69), my computer tries to send data packets to
    > adsremote.scripps.com (204.78.38.15). The list goes on and on and on;

    these
    > are just a few examples.
    >
    > Now that I'm blocking these 'extraneous' data packets from being sent, the
    > web pages I want to see take 30 seconds to 5 minutes to download, instead

    of
    > the usual couple seconds. But they do download eventually.

    <deleted>
    >And I'm steering clear of sites that want data packets sent to
    > various alternative IPs when I try to download a webpage, looking for
    > alternative sites for reading news and other activities.
    >
    > So the key question I have is this: is there a legitimate reason why my
    > computer should be sending a data packet to adsremote.scripps.com
    > (204.78.38.15) when I try to read the daily Dilbert comic (65.114.4.69)?
    > Other than the initial request from my browser to download the .html

    file(s)
    > from a website, why should my browser be sending anything to anywhere

    else?
    >

    <deleted>
    >
     
    Mike, Aug 10, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. [G]rumpy [O]ld [D]uffer

    WebSite Data Mining

    [G]rumpy [O]ld [D]uffer, Jul 15, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    475
  2. Mark Maloof
    Replies:
    0
    Views:
    647
    Mark Maloof
    Feb 11, 2006
  3. imhotep

    Government Increasingly Turning to Data Mining

    imhotep, Jun 16, 2006, in forum: Computer Security
    Replies:
    0
    Views:
    449
    imhotep
    Jun 16, 2006
  4. steve

    Data mining robots

    steve, Oct 31, 2003, in forum: NZ Computing
    Replies:
    0
    Views:
    570
    steve
    Oct 31, 2003
  5. Shane

    Data Mining

    Shane, Jun 27, 2007, in forum: NZ Computing
    Replies:
    3
    Views:
    543
    thingy
    Jun 28, 2007
Loading...

Share This Page