[Dshield] Proxy Guard

John Sage jsage at finchhaven.com
Tue Jan 21 02:28:55 GMT 2003


I decided to bring this up to the top: there's further background and
commentary, below..

 Danube Technologies, Inc.
 3600 15th Ave. W.
 Suite 100
 Seattle, WA 98119


Administrative Contact:
 Szalvay, Laszlo info at danubetech.com
 3600 15th Ave. W.
 Suite 100
 Seattle, WA 98119

Technical Contact:
 Szalvay, Laszlo info at danubetech.com
 3600 15th Ave. W.
 Suite 100
 Seattle, WA 98119

Laszlo Szalvay seems to be heavily involved with http proxy
detection/avoidance, possibly for adult content web sites, but
certainly for "pay-per-click (PPC) and pay-per-lead (PPL)" web sites.



Avoid Affiliate Fraud!
Seek Protection from Bots and other Tricks that Rob You Blind!

By Laszlo  Szalvay

"Do you operate an affiliate program, banner exchange, or traffic
trading script? Chances are sophisticated robots (or 'bots') are
cheating you.

Everybody knows that to get traffic on the web in any industry a
successful affiliate program is essential. But over the last few years
almost every successful affiliate program offering pay-per-click (PPC)
and pay-per-lead (PPL) has been subject to a mysterious fraudulent
activity, which has undermined PPC/PPL as the dominant paradigm for
garnishing traffic...."


Selected google hits:

adult webmasters club news
... (DT) in association with BSF. Enterprises, LLC. ... About BSF
Enterprises, LLC: BSF ENTERPRISES, LLC is a software research and development company. ...
www.adultwebmastersclub.com/newsitem.asp?ID=30 -  6k - Cached - Similar pages

Adult Buzz - Webmaster Tips & Support
... (DT) in association with BSF Enterprises, LLC. ... About BSF Enterprises, LLC:
BSF ENTERPRISES, LLC is a software research and development company. ...
www.adultbuzz.com/061202/page5.phtml -  32k - Cached - Similar pages

Cozy Academy: Official School For Adult Webmasters!
... The Faces: BSF ENTERPRISES, LLC. is a software research and development company.
Danube Technologies, Inc. is an end-to-end services provider. ...
www.cozyacademy.com/hub/2002/feb/edition009/page06.asp -  15k - Cached - Similar pages

... Research firm BSF Enterprises, LLC has been at the forefront of understanding how
proxy servers can be used to defraud and attack systems and how crackers use ...
xbiz.com/articles/index.php?article_idp=247 -  37k - Cached - Similar pages

Articles / Battling Proxy Bot Cheaters
... Danube Technologies has teamed with BSF Enterprises to offer Proxy Guard, a solution
that will beat these cheaters and protect the profits and statistics of per ...
www.theadultwebmaster.com/articles/proxy_bots.phtml -  44k - Cached - Similar pages

Whatever that host is, it's pretty well non-existent from the outside:

[toot at sparky /tmp]# host
Host not found: 3(NXDOMAIN)

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

Hurricane Electric HURRICANE-1 (NET-216-218-128-0-1) -
BSF Enterprises, LLC HURRICANE-CE0548-1A1 (NET-216-218-184-0-1) - 

# ARIN Whois database, last updated 2003-01-19 20:00
# Enter ? for additional hints on searching ARIN's Whois database.

[toot at sparky /tmp]# lynx -head -dump


[toot at sparky /tmp]# traceroute 
traceroute to (, 30 hops max, 38 byte packets
 1  greatwall (  7.918 ms  0.813 ms  1.144 ms
 2 (  150.755 ms  145.510 ms  125.381 ms
 3 (  159.903 ms  144.566 ms  139.928 ms
 4  gbr2-p58.st6wa.ip.att.net (  140.033 ms  127.601 ms  129.873 ms
 5  gbr4-p80.st6wa.ip.att.net (  130.028 ms  127.767 ms  129.901 ms
 6  ggr1-p370.st6wa.ip.att.net (  140.024 ms  137.744 ms  129.961 ms
 7  att-gw.sea.above.net (  139.982 ms  137.990 ms  139.939 ms
 8  so-5-2-0.cr2.sea1.us.mfnx.net (  140.032 ms  138.110 ms  129.995 ms
 9  so-4-0-0.mpr4.sjc2.us.mfnx.net (  160.005 ms  158.105 ms  149.926 ms
10  pos6-0.mpr2.pao1.us.mfnx.net (  160.018 ms 158.574 ms (  160.056 ms
11 (  158.898 ms  157.095 ms  149.949 ms
12  gige-g1-0.gsr12008.fmt.he.net (  160.025 ms  158.207 ms  169.924 ms
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *

[toot at sparky /tmp]# ping
PING ( from : 56(84) bytes of data.

--- ping statistics ---
17 packets transmitted, 0 packets received, 100% packet loss

> When I complained to the originator about it, got this reply
> This message is in response to your complaint of network probing
attacks from

> This is not a malicious or intrusive attack. is
involved with security auditing for a number of commercial customers
whose business is predicated on the unique viability of the underlying
IP traffic.

What? Utter gobbledegook. Are *you* a commercial customer of theirs? 

The "..unique viabilitly of the underlying IP traffic.."? Who *isn't*
involved with that?

> The machine is automatically set to investigate any statistically
unusual traffic.

Nonsense. It's not investigating traffic, it's initiating it.

They're port scanning you.

> You will notice these investigations are NON-intrusive, extremely
low bandwidth, and targeted at a few specific ports (typical web
server ports like 80 or 8080); they do not scan the port range.

Yup. Looks like they're looking for open proxies.

> This is standard tcp/http protocol. If you see repeated TCP requests
within a short period of time, this is standard TCP re-conection
attempt behavior.

Nonsense. They're port scanning you.

>  Set your system up to properly deny SYN packets rather than
dropping (i.e. black-holing) them; this is not compliant with relevant

Right. It's all your fault.

> Please refer to www.proxyguard.com for more information.
> Thank you.
> Would be interested in other comments on this ...
> Regards
> ------------------------------------------
> Andy Hopkins
> Senior Unix Administrator
> healthAlliance

- John
Has the preparation
of your heart been ready?
Almost, calm down.

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the list mailing list