[Dshield] Proxy Guard

John Sage jsage at finchhaven.com
Tue Jan 21 02:28:55 GMT 2003


Anthony:

I decided to bring this up to the top: there's further background and
commentary, below..

Registrant:
 Danube Technologies, Inc.
 3600 15th Ave. W.
 Suite 100
 Seattle, WA 98119
 US
 206-709-8585 

Domain Name: PROXYGUARD.COM 

Administrative Contact:
 Szalvay, Laszlo info at danubetech.com
 3600 15th Ave. W.
 Suite 100
 Seattle, WA 98119
 US
 206-709-8585 

Technical Contact:
 Szalvay, Laszlo info at danubetech.com
 3600 15th Ave. W.
 Suite 100
 Seattle, WA 98119
 US
 206-709-8585


Laszlo Szalvay seems to be heavily involved with http proxy
detection/avoidance, possibly for adult content web sites, but
certainly for "pay-per-click (PPC) and pay-per-lead (PPL)" web sites.

See:

http://www.adultchamber.com/members/advice-bots.htm

Avoid Affiliate Fraud!
Seek Protection from Bots and other Tricks that Rob You Blind!

By Laszlo  Szalvay
www.danubetech.com
www.proxyguard.com

"Do you operate an affiliate program, banner exchange, or traffic
trading script? Chances are sophisticated robots (or 'bots') are
cheating you.

Everybody knows that to get traffic on the web in any industry a
successful affiliate program is essential. But over the last few years
almost every successful affiliate program offering pay-per-click (PPC)
and pay-per-lead (PPL) has been subject to a mysterious fraudulent
activity, which has undermined PPC/PPL as the dominant paradigm for
garnishing traffic...."

<snip>


Selected google hits:

adult webmasters club news
... (DT) in association with BSF. Enterprises, LLC. ... About BSF
Enterprises, LLC: BSF ENTERPRISES, LLC is a software research and development company. ...
www.adultwebmastersclub.com/newsitem.asp?ID=30 -  6k - Cached - Similar pages

Adult Buzz - Webmaster Tips & Support
... (DT) in association with BSF Enterprises, LLC. ... About BSF Enterprises, LLC:
BSF ENTERPRISES, LLC is a software research and development company. ...
www.adultbuzz.com/061202/page5.phtml -  32k - Cached - Similar pages

Cozy Academy: Official School For Adult Webmasters!
... The Faces: BSF ENTERPRISES, LLC. is a software research and development company.
Danube Technologies, Inc. is an end-to-end services provider. ...
www.cozyacademy.com/hub/2002/feb/edition009/page06.asp -  15k - Cached - Similar pages

XBIZ > ADULT WEBMASTER RESOURCES
... Research firm BSF Enterprises, LLC has been at the forefront of understanding how
proxy servers can be used to defraud and attack systems and how crackers use ...
xbiz.com/articles/index.php?article_idp=247 -  37k - Cached - Similar pages

Articles / Battling Proxy Bot Cheaters
... Danube Technologies has teamed with BSF Enterprises to offer Proxy Guard, a solution
that will beat these cheaters and protect the profits and statistics of per ...
www.theadultwebmaster.com/articles/proxy_bots.phtml -  44k - Cached - Similar pages



Whatever that host is, it's pretty well non-existent from the outside:

[toot at sparky /tmp]# host 216.218.184.2
Host 2.184.218.216.in-addr.arpa. not found: 3(NXDOMAIN)


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

Hurricane Electric HURRICANE-1 (NET-216-218-128-0-1)
    216.218.128.0 - 216.218.255.255
BSF Enterprises, LLC HURRICANE-CE0548-1A1 (NET-216-218-184-0-1)
    216.218.184.0 - 216.218.184.15 

# ARIN Whois database, last updated 2003-01-19 20:00
# Enter ? for additional hints on searching ARIN's Whois database.


[toot at sparky /tmp]# lynx -head -dump http://216.218.184.2/

nothing..

[toot at sparky /tmp]# traceroute 216.218.184.2 
traceroute to 216.218.184.2 (216.218.184.2), 30 hops max, 38 byte packets
 1  greatwall (192.168.1.2)  7.918 ms  0.813 ms  1.144 ms
 2  165.238.131.24 (165.238.131.24)  150.755 ms  145.510 ms  125.381 ms
 3  165.238.131.17 (165.238.131.17)  159.903 ms  144.566 ms  139.928 ms
 4  gbr2-p58.st6wa.ip.att.net (12.122.253.233)  140.033 ms  127.601 ms  129.873 ms
 5  gbr4-p80.st6wa.ip.att.net (12.122.5.169)  130.028 ms  127.767 ms  129.901 ms
 6  ggr1-p370.st6wa.ip.att.net (12.123.44.133)  140.024 ms  137.744 ms  129.961 ms
 7  att-gw.sea.above.net (192.205.32.234)  139.982 ms  137.990 ms  139.939 ms
 8  so-5-2-0.cr2.sea1.us.mfnx.net (208.185.175.182)  140.032 ms  138.110 ms  129.995 ms
 9  so-4-0-0.mpr4.sjc2.us.mfnx.net (208.184.102.177)  160.005 ms  158.105 ms  149.926 ms
10  pos6-0.mpr2.pao1.us.mfnx.net (208.185.175.162)  160.018 ms 158.574 ms 209.249.0.125 (209.249.0.125)  160.056 ms
11  209.249.24.136.he.net (209.249.24.136)  158.898 ms  157.095 ms  149.949 ms
12  gige-g1-0.gsr12008.fmt.he.net (64.71.128.177)  160.025 ms  158.207 ms  169.924 ms
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
<snip>


[toot at sparky /tmp]# ping 216.218.184.2
PING 216.218.184.2 (216.218.184.2) from 192.168.1.6 : 56(84) bytes of data.

--- 216.218.184.2 ping statistics ---
17 packets transmitted, 0 packets received, 100% packet loss



> When I complained to the originator about it, got this reply
> 
> This message is in response to your complaint of network probing
attacks from 216.218.184.2.

> This is not a malicious or intrusive attack.  216.218.184.2 is
involved with security auditing for a number of commercial customers
whose business is predicated on the unique viability of the underlying
IP traffic.

What? Utter gobbledegook. Are *you* a commercial customer of theirs? 

The "..unique viabilitly of the underlying IP traffic.."? Who *isn't*
involved with that?

> The machine is automatically set to investigate any statistically
unusual traffic.

Nonsense. It's not investigating traffic, it's initiating it.

They're port scanning you.

> You will notice these investigations are NON-intrusive, extremely
low bandwidth, and targeted at a few specific ports (typical web
server ports like 80 or 8080); they do not scan the port range.

Yup. Looks like they're looking for open proxies.

> This is standard tcp/http protocol. If you see repeated TCP requests
within a short period of time, this is standard TCP re-conection
attempt behavior.

Nonsense. They're port scanning you.

>  Set your system up to properly deny SYN packets rather than
dropping (i.e. black-holing) them; this is not compliant with relevant
RFCs.

Right. It's all your fault.

> Please refer to www.proxyguard.com for more information.
> 
> Thank you.
> 
> Would be interested in other comments on this ...
> 
> Regards
> 
> ------------------------------------------
> Andy Hopkins
> Senior Unix Administrator
> healthAlliance


- John
-- 
Has the preparation
of your heart been ready?
Almost, calm down.

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list