API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 4th, 2016
953
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 27.79 KB | None | 0 0
raw download clone embed print report
  1. Akamai or who is watching your every move on Internet and how to "drop" them.
  2. 1. What is going on
  3.  
  4. If you've been using Internet on a regular basis during last decade (say from year 2k) no doubt you have noticed that it's become *slower* during recent years. Getting through to the data takes dozens of seconds and in some cases one can not get connected in several minutes even though the server is alive and up and running. And all this happens not in 28 KBit/s modem environment but in at least 3G, Turbo-3G (HSPA) or even 4G networks (in Scandinavia) with speeds 1 MBit/s and higher. Why is that?
  5.  
  6. Let's make an experiment: turn off images and JavaScript in a browser (to minimize connectivity) and try connecting to some web sites.
  7.  
  8. To see where exactly my browser is connecting to I will use utility called netstat with following keys:
  9. t - for tcp sockets, a - all sockets, p - for PID/program, e - extended, c - continuous listing, n - numerical IP addresses.
  10.  
  11. First let us try connecting to popular among people working for big companies LinkedIn:
  12.  
  13. $ netstat -tapecn
  14.  
  15. Active Internet connections (servers and established)
  16. Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
  17. tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 5872 1665/exim4
  18. tcp 0 0 192.168.42.14:62570 216.52.242.80:443 ESTABLISHED 1000 532490 2310/firefox
  19. tcp 0 0 192.168.42.14:11287 2.23.145.244:443 ESTABLISHED 1000 533061 2310/firefox
  20. tcp 0 0 192.168.42.14:11288 2.23.145.244:443 ESTABLISHED 1000 533062 2310/firefox
  21. tcp 0 0 192.168.42.14:11284 2.23.145.244:443 ESTABLISHED 1000 533052 2310/firefox
  22. tcp 0 0 192.168.42.14:31136 75.126.153.214:80 TIME_WAIT 0 0 -
  23. tcp 0 0 192.168.42.14:48286 173.194.32.48:80 TIME_WAIT 0 0 -
  24. tcp 0 0 192.168.42.14:11286 2.23.145.244:443 ESTABLISHED 1000 533054 2310/firefox
  25. tcp 0 0 192.168.42.14:11285 2.23.145.244:443 ESTABLISHED 1000 533053 2310/firefox
  26. tcp 0 0 192.168.42.14:16959 173.194.32.51:80 TIME_WAIT 0 0 -
  27. tcp 0 0 192.168.42.14:14222 173.194.32.60:80 TIME_WAIT 0 0 -
  28. tcp 3675 0 192.168.42.14:62571 216.52.242.80:443 ESTABLISHED 1000 532491 2310/firefox
  29. tcp 0 0 192.168.42.14:16315 80.239.254.97:80 TIME_WAIT 0 0 -
  30. ^C
  31. $
  32.  
  33. 216.52.242.80 is IP address of LinkedIn Corporation, but who are the owners of other IP addresses (2.23.145.244, 80.239.254.97, 173.194.32.51)?
  34.  
  35. Let's find out using whois:
  36.  
  37. $ whois 2.23.145.244
  38. % This is the RIPE Database query service.
  39. % The objects are in RPSL format.
  40. %
  41. % The RIPE Database is subject to Terms and Conditions.
  42. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
  43.  
  44. % Note: this output has been filtered.
  45. % To receive output for a database update, use the "-B" flag.
  46.  
  47. % Information related to '2.23.144.0 - 2.23.159.255'
  48.  
  49. inetnum: 2.23.144.0 - 2.23.159.255
  50. netname: AKAMAI-PA
  51. descr: Akamai Technologies
  52. country: EU
  53. admin-c: NARA1-RIPE
  54. tech-c: NARA1-RIPE
  55. status: ASSIGNED PA
  56. mnt-by: AKAM1-RIPE-MNT
  57. mnt-routes: AKAM1-RIPE-MNT
  58. source: RIPE # Filtered
  59.  
  60. role: Network Architecture Role Account
  61. address: Akamai Technologies
  62. address: 8 Cambridge Center
  63. address: Cambridge, MA 02142
  64. phone: +1-617-938-3130
  65. abuse-mailbox: abuse@akamai.com
  66. admin-c: NF1714-RIPE
  67. admin-c: JP1944-RIPE
  68. tech-c: NF1714-RIPE
  69. tech-c: JP1944-RIPE
  70. tech-c: APB15-RIPE
  71. tech-c: CKAK-RIPE
  72. tech-c: PWG8-RIPE
  73. tech-c: MH7314-RIPE
  74. tech-c: TBAK-RIPE
  75. nic-hdl: NARA1-RIPE
  76. mnt-by: AKAM1-RIPE-MNT
  77. source: RIPE # Filtered
  78.  
  79. % Information related to '2.16.0.0/13as31377'
  80.  
  81. route: 2.16.0.0/13
  82. descr: Akamai Technologies
  83. origin: as31377
  84. mnt-by: AKAM1-RIPE-MNT
  85. mnt-routes: AKAM1-RIPE-MNT
  86. mnt-routes: AS6762-MNT {2.18.80.0/20^+, 2.23.112.0/20^+, 2.16.220.0/22, 2.16.178.0/23^+}
  87. mnt-routes: CW-EUROPE-GSOC { 2.16.180.0/23^+, 2.21.228.0/22^+, 2.21.232.0/22^+, 2.22.44.0/22^+, 2.22.242.0/23^+, 2.22.248.0/23^+, 2.23.0.0/20^+, 2.23.16.0/20^+, 2.23.32.0/20^+, 2.23.48.0/20^+, 2.23.160.0/20^+, 2.23.192.0/20^+, 2.23.208.0/20^+, 2.23.236.0/23^+ }
  88. source: RIPE # Filtered
  89.  
  90. % Information related to '2.23.144.0/20AS16625'
  91.  
  92. route: 2.23.144.0/20
  93. descr: Akamai Technologies
  94. origin: AS16625
  95. mnt-by: AKAM1-RIPE-MNT
  96. source: RIPE # Filtered
  97. $
  98.  
  99. Ok, so it is some other organization, Akamai Technologies, which is connected to my machine from IP address 2.23.145.244, using several ports. Moreover, IP address 80.239.254.97 also belongs to them. Google is behind the IP 173.194.32.51.
  100.  
  101. Even though I am using LinkedIn login page URL it takes more than 10 seconds to see the page.
  102.  
  103. But! If *one second* after hitting "Enter" I go offline (using Alt-F-W on Firefox) I will see the login page immediately!
  104.  
  105. Which means web page is delivered alright (since it is simple login/password two fields HTML, no flash),
  106. but someone needs to do some sort of "processing" (your IP address, location, software, etc).
  107. This is obviously what they call "optimization".
  108.  
  109. Let's now try connecting to Yahoo mail service:
  110.  
  111. Active Internet connections (servers and established)
  112. Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
  113. tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 6064 -
  114. tcp 907 0 192.168.42.116:10829 217.146.187.60:443 ESTABLISHED 1000 27123 2328/firefox
  115. tcp 0 0 192.168.42.116:47766 2.23.141.227:443 ESTABLISHED 1000 27047 2328/firefox
  116. tcp 0 0 192.168.42.116:10828 217.146.187.60:443 ESTABLISHED 1000 27084 2328/firefox
  117. tcp 0 0 192.168.42.116:47769 2.23.141.227:443 ESTABLISHED 1000 27050 2328/firefox
  118. tcp 0 0 192.168.42.116:47765 2.23.141.227:443 ESTABLISHED 1000 27046 2328/firefox
  119. tcp 0 0 192.168.42.116:47767 2.23.141.227:443 ESTABLISHED 1000 27048 2328/firefox
  120. tcp 0 0 192.168.42.116:2690 173.204.115.235:80 ESTABLISHED 1000 27137 2328/firefox
  121. tcp 0 0 192.168.42.116:47768 2.23.141.227:443 ESTABLISHED 1000 27049 2328/firefox
  122. ^C
  123. $
  124.  
  125. IP 217.146.187.60 belongs to Yahoo Europe Operations, but Akamai (IP 2.23.141.227) got connected to my machine again without invitation using several ports! IP 173.204.115.235 is GoGrid LLC from San Francisco, CA.
  126.  
  127. Now let's check what happens when I connect to my Internet Service Provider (Surftown IP 212.97.132.34):
  128.  
  129. Active Internet connections (servers and established)
  130. Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
  131. tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 6064 -
  132. tcp 0 1 192.168.42.116:35143 213.150.61.61:443 SYN_SENT 1000 33752 2328/firefox
  133. tcp 0 198 192.168.42.116:37072 212.97.132.34:443 ESTABLISHED 1000 32804 2328/firefox
  134. tcp 0 1 192.168.42.116:47779 2.23.141.227:443 SYN_SENT 1000 33802 2328/firefox
  135. tcp 0 1 192.168.42.116:35145 213.150.61.61:443 SYN_SENT 1000 33801 2328/firefox
  136. tcp 0 0 192.168.42.116:37071 212.97.132.34:443 ESTABLISHED 1000 32782 2328/firefox
  137. tcp 0 1 192.168.42.116:47777 2.23.141.227:443 SYN_SENT 1000 33753 2328/firefox
  138. ^C
  139. $
  140.  
  141. Same story: apart from connection to my ISP and their broadband partners (213.150.61.61, Tune Kabelnet, Kopenhagen, DK), same Akamai tries hard to get connected to my box. Let's try and find out who are they.
  142. 2. What/who is Akamai?
  143.  
  144. According to Wikipedia article Akamai Technologies was founded in 1998 by two individuals:
  145.  
  146. Daniel M. Lewin, who was raised in Jerusalem and served several years in special forces units of Israel Defense Forces, before moving to Cambridge, MA, USA to study at MIT. And his adviser, Frank Thomson Leighton, professor of Applied Math at MIT. Brief biography page at MIT CSAIL says that from 2003 to 2005 professor Leighton served as the Chairman of President's IT Advisory Committee, subcommittee on Cyber Security. In that capacity he issued a report entitled "Cyber Security: A Crisis in Prioritization".
  147.  
  148. In a nutshell: this is the company founded by two cyber security professionals heavily involved with Israel and USA governments.
  149.  
  150. How they do it? Akamai plays the role of "middleware" delivering content to its customers who need browsing by mirroring content, for example complete site HTML/CSS/JavaScript with its audio, graphics, etc. So when you need content from a web site it is likely to be delivered from Akamai's IP addresses/servers, NOT from customer servers you expect.
  151.  
  152. Another trick is that they have peer-to-peer solution similar to BitTorrent which is based upon download manager delivering content to/from other user's computers.
  153.  
  154. Usually it gets installed without much ado when users of *that* operating system upgrade their Flash player (described by Steve Jobs as "can of worms"), PDF reader or some other component of (closed source) Adobe Creative Suite (more on why Steve Jobs did not like Adobe and other proprietary software here).
  155.  
  156. Looking at the output of "whois 2.23.145.244" you may have noticed the line "route: 2.16.0.0/13". This is CIDR or Classless Inter-Domain Routing, method for allocating IP addresses and routing IP packets. Record like "a.b.0.0/13" essentially means that there could be 524,288 IP addresses/hosts allocated for this customer. And it is only one of CIDRs which belong to Akamai. First ouput of netstat above contains another set of Akamai's IP addresses (80.239.224.0/19) with 8,192 more hosts. They also own several more CIDRs e.g. 23.32.0.0/11 with 2,097,152 IP addresses!
  157.  
  158. Apart from operating several Internet domains (akam.net, akamai.com, akamai.net, akamaitech.net) they also buy blocks of IP addresses from major communication carriers like TeliaSonera (62.115.0.0/16, 80.239.128.0/19, 80.239.160.0/19, 80.239.192.0/19, etc):
  159.  
  160. geo@fermat:~$ whois 80.239.178.83
  161. % This is the RIPE Database query service.
  162. % The objects are in RPSL format.
  163. %
  164. % The RIPE Database is subject to Terms and Conditions.
  165. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
  166.  
  167. % Note: this output has been filtered.
  168. % To receive output for a database update, use the "-B" flag.
  169.  
  170. % Information related to '80.239.178.0 - 80.239.178.127'
  171.  
  172. inetnum: 80.239.178.0 - 80.239.178.127
  173. netname: AKAMAI
  174. descr: Akamai International BV
  175. org: ORG-AIB6-RIPE
  176. country: EU
  177. admin-c: RP8999-RIPE
  178. tech-c: RP8999-RIPE
  179. status: ASSIGNED PA
  180. mnt-by: TELIANET-LIR
  181. source: RIPE # Filtered
  182.  
  183. organisation: ORG-AIB6-RIPE
  184. org-name: Akamai International B.V.
  185. org-type: OTHER
  186. descr: The Trusted Choice for Online Business
  187. address: 8 Cambridge Center
  188. address: MA02412 Cambridge
  189. address: United States
  190. phone: +1 6174443007
  191. admin-c: NARA1-RIPE
  192. tech-c: NARA1-RIPE
  193. mnt-by: TELIANET-LIR
  194. mnt-ref: TELIANET-LIR
  195. source: RIPE # Filtered
  196.  
  197. person: Roann Pacewicz
  198. address: Akamai International IV
  199. address: 8 Cambridge Center
  200. address: 02140 Cambridge, MA
  201. address: US
  202. phone: +6174442828
  203. nic-hdl: RP8999-RIPE
  204. mnt-by: TELIANET-LIR
  205. source: RIPE # Filtered
  206.  
  207. % Information related to '80.239.160.0/19AS1299'
  208.  
  209. route: 80.239.160.0/19
  210. descr: TELIANET-BLK
  211. remarks: Abuse issues should be reported
  212. remarks: to abuse@telia.com
  213. origin: AS1299
  214. mnt-by: TELIANET-RR
  215. source: RIPE # Filtered
  216.  
  217. % This query was served by the RIPE Database Query Service version 1.8.13 (WHOIS2)
  218.  
  219. geo@fermat:~$
  220.  
  221. If your ISP is not Telia but some other network operator you are likely to see different IP ranges used by Akamai.
  222.  
  223. What is important here is that they can dynamically change range of IPs used for their spider-activities!
  224.  
  225. One thing is clear - this is huge network spider spread across more than 70 countries.
  226.  
  227. Google, whose founders have same roots as Lewin, is also involved into this USA/Israel government spying activities:
  228. according to Intellipedia article on Wikipedia Google servers and software enables US spy agencies CIA and NGA integration of social networks into their agents daily work habits.
  229.  
  230. Who are their customers? First and foremost - multimedia sites (Apple iTunes, Sony), social networks (Facebook, Twitter, LinkedIn, etc), global news providers like BBC and Yahoo, government (US Department of Defense, etc).
  231. But as we noticed small ISP/hosting providers are also targeted.
  232.  
  233. What does it mean for you?
  234.  
  235. Each and every time you connect to your public domain email, your bank(!), comment on social networks, do some sort of download (iTunes, BitTorrent files, etc), they want to know about it!
  236.  
  237. "Big bro" is really working hard to monitor each and every move you make on Internet.
  238. 3. What can be done?
  239.  
  240. Well, let's see. Linux has packet filtering, Network Address Translation tool called iptables.
  241.  
  242. Which is a user space tool that works together with Linux kernel modules ip_tables and iptable_filter developed by Netfilter Core Team. Let's use them!
  243.  
  244. # iptables -A INPUT -s 2.16.0.0/13 -j DROP
  245. # iptables -A INPUT -s 2.23.144.0/20 -j DROP
  246. # iptables -A INPUT -s 23.0.0.0/12 -j DROP
  247. # iptables -A INPUT -s 23.32.0.0/11 -j DROP
  248. # iptables -A INPUT -s 23.64.0.0/14 -j DROP
  249. # iptables -A INPUT -s 62.115.0.0/16 -j DROP
  250. # iptables -A INPUT -s 72.246.0.0/15 -j DROP
  251. # iptables -A INPUT -s 80.239.128.0/19 -j DROP
  252. # iptables -A INPUT -s 80.239.160.0/19 -j DROP
  253. # iptables -A INPUT -s 80.239.192.0/19 -j DROP
  254. # iptables -A INPUT -s 80.239.224.0/19 -j DROP
  255. # iptables -A INPUT -s 84.53.168.0/22 -j DROP
  256. # iptables -A INPUT -s 88.221.176.0/21 -j DROP
  257. # iptables -A INPUT -s 96.6.0.0/15 -j DROP
  258. # iptables -A INPUT -s 96.16.0.0/15 -j DROP
  259. # iptables -A INPUT -s 217.208.0.0/13 -j DROP
  260. # iptables -A INPUT -s 74.125.0.0/16 -j DROP
  261. # iptables -A OUTPUT -s 74.125.0.0/16 -j DROP
  262. # iptables -A INPUT -s 173.194.0.0/16 -j DROP
  263. # iptables -A OUTPUT -s 173.194.0.0/16 -j DROP
  264. # iptables -A INPUT -s 209.85.128.0/17 -j DROP
  265. # iptables -A OUTPUT -s 209.85.128.0/17 -j DROP
  266. # iptables-save
  267. # iptables -L
  268. Chain INPUT (policy DROP)
  269. target prot opt source destination
  270. DROP all -- 2.16.0.0/13 anywhere
  271. DROP all -- 2.23.144.0/20 anywhere
  272. DROP all -- a23-0-0-0.deploy.akamaitechnologies.com/12 anywhere
  273. DROP all -- a23-32-0-0.deploy.akamaitechnologies.com/11 anywhere
  274. DROP all -- a23-64-0-0.deploy.akamaitechnologies.com/14 anywhere
  275. DROP all -- 62.115.0.0/16 anywhere
  276. DROP all -- a72-246-0-0.deploy.akamaitechnologies.com/15 anywhere
  277. DROP all -- 80.239.128.0/19 anywhere
  278. DROP all -- 80.239.160.0/19 anywhere
  279. DROP all -- 80.239.192.0/19 anywhere
  280. DROP all -- 80-239-224-0.customer.teliacarrier.com/19 anywhere
  281. DROP all -- 84.53.168.0/22 anywhere
  282. DROP all -- a88-221-176-0.deploy.akamaitechnologies.com/21 anywhere
  283. DROP all -- a96-6-0-0.deploy.akamaitechnologies.com/15 anywhere
  284. DROP all -- a96-16-0-0.deploy.akamaitechnologies.com/15 anywhere
  285. DROP all -- 217.208.0.0/13 anywhere
  286. DROP all -- any-in-0000.1e100.net/16 anywhere
  287. DROP all -- 173.194.0.0/16 anywhere
  288. DROP all -- 209.85.128.0/17 anywhere
  289.  
  290. Chain FORWARD (policy ACCEPT)
  291. target prot opt source destination
  292.  
  293. Chain OUTPUT (policy ACCEPT)
  294. target prot opt source destination
  295. DROP all -- any-in-0000.1e100.net/16 anywhere
  296. DROP all -- 173.194.0.0/16 anywhere
  297. DROP all -- 209.85.128.0/17 anywhere
  298. #
  299.  
  300. Essentially I added (-A) new rules which instruct those two kernel modules to drop (-DROP) all packets that originate from IP addresses given by CIDR notation (e.g. 96.16.0.0/15). As you may have noticed you have to be root (#) on the machine to be able to do that.
  301.  
  302. Why do I need two rules (for INPUT and OUTPUT chains) in case of Google (74.125.0.0/16, 173.194.0.0/16 and 209.85.128.0/17)?
  303.  
  304. Very good question!
  305.  
  306. Android software is designed in such a way that when you stop some service using "Manage applications" or "Running services" it only stops corresponding Java application (Activity), but Linux process is still running!
  307. The only way to remove application is by "rooting" device.
  308.  
  309. Calendar application (com.htc.bgp), Facebook, and "Google Services" are prime examples: you stop Calendar as well as "Calendar Storage" and "Calendar Widget" clearing all data and it disappears from "Running applications". Then you start your browser (either on droid device or on Linux notebook using droid as a modem) and after a second or two you see that it appears again among "Running services"!
  310. More on why Android Calendar connects to Google here.
  311.  
  312. So if you suspect that there's Google device or Akamai "spider-ware" installed on your network behind iptables firewall it might be a good idea to add matching OUTPUT rule for every INPUT rule to make sure that they will not be able to send packets from your network to their IP addresses.
  313.  
  314. To avoid entering all those iptables rules after each reboot you can add them (without iptables -L) to the end of the file /etc/init.d/networking on Debian (and some of its derivatives like Mint, Xandros, etc.), right before "exit 0" line. As a result you should see those lines appearing during Linux boot.
  315.  
  316. Ubuntu (popular clone of Debian) has solution of its own - ufw or Uncomplicated FireWall, which is also easy to use.
  317.  
  318. FreeBSD (and its commercial overpriced clone Mac OS X) has similar solution called ipfirewall.
  319.  
  320. To monitor your connections you have to install net-tools package (on Debian), netstat is part of it and can be used from regular user account.
  321. 4. After blocking Akamai and Google:
  322.  
  323. Let's see what results we get after adding new rules in iptables.
  324.  
  325. Connecting to LinkedIn:
  326.  
  327. $ netstat -tapecn
  328. Active Internet connections (servers and established)
  329. Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
  330. tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 6064 -
  331. tcp 0 0 192.168.42.116:48645 199.7.50.72:80 TIME_WAIT 0 0 -
  332. tcp 0 1 192.168.42.116:40927 2.23.145.244:443 SYN_SENT 1000 153731 2522/firefox
  333. tcp 0 1 192.168.42.116:40928 2.23.145.244:443 SYN_SENT 1000 153799 2522/firefox
  334. tcp 0 1 192.168.42.116:40926 2.23.145.244:443 SYN_SENT 1000 153730 2522/firefox
  335. tcp 0 1 192.168.42.116:40924 2.23.145.244:443 SYN_SENT 1000 153726 2522/firefox
  336. tcp 0 1 192.168.42.116:40925 2.23.145.244:443 SYN_SENT 1000 153727 2522/firefox
  337. tcp 0 1 192.168.42.116:40932 2.23.145.244:443 SYN_SENT 1000 153803 2522/firefox
  338. tcp 0 1 192.168.42.116:40931 2.23.145.244:443 SYN_SENT 1000 153802 2522/firefox
  339. tcp 0 1 192.168.42.116:40923 2.23.145.244:443 SYN_SENT 1000 153725 2522/firefox
  340. tcp 0 1 192.168.42.116:40930 2.23.145.244:443 SYN_SENT 1000 153801 2522/firefox
  341. tcp 0 1 192.168.42.116:40929 2.23.145.244:443 SYN_SENT 1000 153800 2522/firefox
  342. tcp 0 0 192.168.42.116:39822 216.52.242.80:443 ESTABLISHED 1000 151724 2522/firefox
  343. ^C
  344. $
  345.  
  346. Connecting to Yahoo mail:
  347.  
  348. Active Internet connections (servers and established)
  349. Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
  350. tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 6064 -
  351. tcp 907 0 192.168.42.116:35069 217.12.8.31:443 ESTABLISHED 1000 66935 2328/firefox
  352. tcp 0 1 192.168.42.116:15352 2.23.141.227:443 SYN_SENT 1000 66836 2328/firefox
  353. tcp 0 1 192.168.42.116:15356 2.23.141.227:443 SYN_SENT 1000 66840 2328/firefox
  354. tcp 0 1 192.168.42.116:15362 2.23.141.227:443 SYN_SENT 1000 66934 2328/firefox
  355. tcp 0 1 192.168.42.116:15358 2.23.141.227:443 SYN_SENT 1000 66930 2328/firefox
  356. tcp 0 1 192.168.42.116:15354 2.23.141.227:443 SYN_SENT 1000 66838 2328/firefox
  357. tcp 0 1 192.168.42.116:15360 2.23.141.227:443 SYN_SENT 1000 66932 2328/firefox
  358. tcp 0 1 192.168.42.116:15361 2.23.141.227:443 SYN_SENT 1000 66933 2328/firefox
  359. tcp 0 1 192.168.42.116:15355 2.23.141.227:443 SYN_SENT 1000 66839 2328/firefox
  360. tcp 0 1 192.168.42.116:15353 2.23.141.227:443 SYN_SENT 1000 66837 2328/firefox
  361. tcp 0 1 192.168.42.116:15359 2.23.141.227:443 SYN_SENT 1000 66931 2328/firefox
  362. ^C
  363. $
  364.  
  365. Connecting to ISP (Surftown):
  366.  
  367. Active Internet connections (servers and established)
  368. Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
  369. tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 6064 -
  370. tcp 0 1 192.168.42.116:57757 2.23.141.227:443 SYN_SENT 1000 143480 2522/firefox
  371. tcp 0 0 192.168.42.116:2860 212.97.132.34:443 ESTABLISHED 1000 142695 2522/firefox
  372. tcp 0 0 192.168.42.116:36685 213.150.61.61:443 ESTABLISHED 1000 143452 2522/firefox
  373. tcp 145 0 192.168.42.116:2865 212.97.132.34:443 ESTABLISHED 1000 143479 2522/firefox
  374. tcp 0 1 192.168.42.116:57754 2.23.141.227:443 SYN_SENT 1000 143453 2522/firefox
  375. tcp 0 0 192.168.42.116:2861 212.97.132.34:443 ESTABLISHED 1000 143397 2522/firefox
  376. tcp 3292 0 192.168.42.116:36687 213.150.61.61:443 ESTABLISHED 1000 143478 2522/firefox
  377. ^C
  378. geo@fermat:~$
  379.  
  380. SYN_SENT means that first step of establishing TCP connection - send SYN-chronization packet is there, but since we drop those packets without ACK-nowledging them no connection is established.
  381.  
  382. Now you can block any unwanted visitor (like Facebook) from accessing your box!
  383. To (temporarily) remove existing rule from iptables simply replace -A with -D (delete).
  384.  
  385. But first and foremost you have to monitor your connections using netstat or more advanced packet inspection tool like tcpdump, because they have huge pool of IP addresses and can switch between them anytime!
  386. 5. What else?
  387.  
  388. Well, if you are a geek or top Embedded systems professional capable of cross-compiling, installing and tuning packages like iptables for Droids (very few IT people I know personally can claim that) possibly you do not have to read this.
  389.  
  390. For the rest of humanity here's few recommendations:
  391.  
  392. Stop using mobile devices with browsers (Droids, iPhones, surfplates, etc). It is impossible to manage your connections and data security (SIM/SD) from such devices without notebook.
  393.  
  394. Get yourself regular not expensive phone *without a browser*. There are some models still on the market with camera, Java (Sun Micro original J2ME) and radio.
  395.  
  396. Avoid sites/operators involved with Akamai "spider-network". Do browsing only from secure/tuned notebook/desktop or from public computers. Search engines Yandex.com and Baidu.com are not covered by their "blanket".
  397.  
  398. Move to Linux or Free/NetBSD. Stop buying/using *that* ugly operating system pre-installed on every notebook because of corruption, not because of its quality. It could take some time to master (learning curve), but benefits of Open Source systems are huge: security, flexibility, low cost, fun.
  399. Do not allow them to dictate which OS should run on your notebook!
  400.  
  401. Avoid Google services, APIs, devices. They tried many times (see my Blog for details) to hack into my site but USA police did nothing (so far) to stop cyber Bolsheviks (Microsoft&Google) criminal activities. Most recent attempts came on 4 Nov 2015 from IP 23.99.210.66 (compatible; MSIE 6.0; Windows NT 5.1) and on 16 Nov 2015 from IP 40.117.94.76 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; MRA 4.4 (build 01348); MRSPUTNIK). Simply can not waste time adding more info about their hacking on my site. If you must use Java/Linux platform (e.g. you are a developer), root your device right after unpacking it and remove Calendar, Google Services, Gmail, Facebook, and the rest of that "spider-ware". If you do not like their "noisy" advertizing, you may click "Report this ad" and then select "Irrelevant" or "Inappropriate".
  402.  
  403. Read books like these: "Dog's heart" by M.Bulgakov and "We" by Y.Zamiatin, who new what bolsheviks were/are all about.
  404.  
  405. Get wise, go to church!
  406.  
  407. P.S. after changing SIM card to Telenor I was pleasantly surprised that Akamai presense in netstat output became far less noticeable. Which essentially confirms basic fact most hackers and IT security professionals know: to be able to do "sniffing", "hijacking" and other things one must first get access to the target network. And by selling IP ranges to USA/Israel spy networks operators like TeliaSonera basically "sell" their customers privacy.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!