[linux-elitists] Sick of doubleclick.net yet?

Jeremy M. Dolan jmd@turbogeek.org
Mon Jul 3 20:08:03 PDT 2000


On Mon, 03 Jul 2000 23:38:50 +0000, Don Marti wrote:
> It turns out that those nasty little cookies aren't so unique after
> all.  I was able to get 53% duplicates: http://zgp.org/rbhl/prl/

I seriously doubt doubleclick is giving out any duplicates under
normal usage. If your business is harvesting information, you don't
give out the same id to 5 people. From briefly looking over the 2
logs you posted, the duplicate id's occur fairly close together. The
second log, spaned nearly 20 mins, but duplicates top out at 2
minutes apart. I'd say, it's cause by eaither of the following:

= the databases aren't designed to be queried from the same IP so
  quickly, they don't sync up that often, and depend on the clients
  DNS server to cache the IP long enough until the new users id can
  be registered in the central database.

= There may be some IP*time formula it uses to make a new id. That
  would account for us getting duplicates in a system designed not
  to give out duplicates - clock skew between ad servers having the
  same time multiplied by our same IP address... duplicate id.

If anyone's still interested, I have a C block available, if someone
wants to hack this python code to switch the IP it sends from (as I
said before, unfortunatly, I don't know a lick of python), I can post
some results. It may help us figure out how the id is generated.

Also, perhaps we should rotate the 'adpath' before we draw any
suspicion. Or we may be too late... any subscription attempts from
doubleclick addresses lately, Don? =)

> Anybody else want your name on the page?  I want to give credit
> where credit is due, especially on that multiple IP address
> thing.

I think I was the first to mention about the multiple IP addresses.
Please add my name, inside a <blink>. I just now noticed that the
mail I mentioned that in was sent only to Don. This is a new machine
and mutt wasen't fully set up yet this morning. How un-elitist of me,
missing the list-reply =(. Parts of it are viewable in Don's reply to
the list, however... That was to the list, right Don? Oh dear...
doesn't look like it. I'll resend my original post, resend your reply
if you want it public... just edit out all that stuff about our
columbian drug cartel ties.

Anyway, I only knew about the multiple IPs because a few months ago
I did an nslookup of ad.dc.net, so I could firewall it out. When it
didn't work, I started investigating. Heres some notes I found laying
around:

I think these were actually the addresses ad.dc.net would resolve to:

205.138.3.22 62 82 102 142 182
208.184.29.50 70 90 130 170 210
209.67.38.101 103 105 106

These are some of their ARIN netblocks, scattered to prevent anyone
from firewalling them out. 15 brownie points if anyone can tell me
why I X'd three of them.

  NETBLK-UU-63-77-79-192	63.77.79.192 - 63.77.79.255
  NETBLK-SPRINT-3FA036-1	63.160.54.0 - 63.160.54.255
  NETBLK-FON-106786867245939	63.166.98.0 - 63.166.98.255
  NETBLK-DOUBLECLICK31-60-18	128.11.60.64 - 128.11.60.127
  NETBLK-DOUBLECLICK-92-19	128.11.92.0 - 128.11.92.255
X NETBLK-DOUBLECLICK3		199.95.206.0 - 199.95.209.255
  NETBLK-DOUBLECLICK-210-08	199.95.210.0 - 199.95.210.255
  NETBLK-UU-204-178-112-160	204.178.112.160 - 204.178.112.191
X NETBLK-UU-204-253-104		204.253.104.0 - 204.253.105.255
  NETBLK-SPRINT-D00ACA-1	208.10.202.0 - 208.10.202.255
X NETBLK-SPRINT-D020D3-1	208.32.211.0 - 208.32.211.255
  NETBLK-UU-208-203-243		208.203.243.0 - 208.203.243.255
  NETBLK-UU-208-211-225		208.211.225.0 - 208.211.225.255
  NETBLK-UU-208-228-86		208.228.86.0 - 208.228.86.255
  NETBLK-NET-DCLICKUU1		209.167.73.128 - 209.167.73.159
  NETBLK-DCLICK2UU1		216.94.59.64 - 216.94.59.95
  NETBLK-CYPC-2162306564	216.230.65.64 - 216.230.65.79

I think that was the weekend I stumbled onto this mailing list,
searching for anti-dc material, I wandered onto that nifty
little authoritative DNS trick. Using a similar method, I aliased
127.0.0.2 to around 20 of the major ad servers in /etc/hosts. Was
blocking probably 50% of the ads on a typical page. But I've since
moved back to the network-wide BIND tactic, to save my coworkers from
the evils of DC.

-- 
Jeremy M. Dolan <jmd@turbogeek.org>



More information about the linux-elitists mailing list