Attacking Third-Party Tracking
by Particle Bored
Third-party tracking is not going away.
After all there is a lot of money to be made. Thus it is up to you to defend yourself. This article will show one approach of significantly reducing your exposure to third-party tracking without adversely affecting your browsing experience.
One might ask what the big deal is about third-party tracking. After all, Forrester Research praises companies like Avenue A, and Microsoft even uses third-party tracking within Money 2006.
I would respond with the following analogy. When I enter Walmart I am aware of their video surveillance and I accept the fact that they can do whatever they like with the footage. Third-party tracking works more like a private investigator. Without my knowledge they watch me go into Walmart, The Home Depot, and several other places throughout the day. They document those with whom I speak and note what was said. I may shake them off once in a while, but they will find me again later.
While this might be considered stalking in the physical world, it is somehow considered appropriate on the Internet. This upsets me a great deal. Most countries require a warrant for such invasive monitoring, so I find their tactics offensive when I am simply trying to locate an article on the New York Times website.
So if we can't stop them from using third-party tracking we can at least avoid sending them our data. The most cost-effective way I have found for most home users is to utilize Smoothwall Express (www.smoothwall.org). It is free and for those who know a little Linux it can be modified for our purposes relatively easily. (Note that I have no financial interest in Smoothwall.)
After getting your Smoothwall up and running, the next step is to configure it to implement a Squid Access-Control List (ACL), available at www.kbg.to.
This will allow you to block HTTP requests by domain name. This is important because it is easy for tracking companies to change their IP addresses to avoid detection but it is difficult for them to change domain names since it would force their customers to modify their code.
Squid ACLs are also one of the best ways to block malicious code that resides on Akamai's caching servers.
To implement the ACL simply copy my evildomains.txt file to the /etc/squid/conf_files directory and then add these two lines to your squid.conf:
The next layer of defense is custom rules for Snort (also available at www.kgb.to).
With the help of a few others, I have created a few rulesets that effectively detect malicious behavior: countries.rules helps detect traffic destined for unusual countries.
Simply remark out the countries you want to ignore by inserting a # at the beginning of a line.
Your own country might be a good one. malware.rules helps detect HTTP traffic destined for domains known for malicious activity.
Third-party tracking domains are included. NPI.rules helps detect sensitive data that is still escaping in clear text. Simply copy the new rulesets to the Snort "rules" directory, then go towards the bottom of the snort.conf file and use the syntax of the existing rules to create new entries referring to the names of the new rules.
Go ahead and reboot at this point so your Squid and Snort changes will take effect. If you screw up and Snort fails to start there will be beautifully specific error messages in the /var/log/messages file to tell you what you did wrong.
The last step is to use the Smoothwall web interface to configure a blacklist (again available at www.kgb.to).
Simply go to Networking - IP Block and enter the subnets in CIDR (the format that is in parentheses in my list). Make sure you configure each entry to "Reject Packet" and not to "Drop Packet."
This configuration may be slightly less secure from the perspective of an external attacker but it will dramatically improve browsing performance. Go ahead and try it both ways if you don't believe me.
There is one critical thing to remember: Smoothwall Express does not utilize the inline blocking functionality of Snort.
You will need to regularly monitor the "Intrusion Detection System" log and respond to emerging threats by modifying the blacklist or the Squid ACL. I will do some of the work for you since I am continuously updating the files on my site.
Now that you are finished configuring your Smoothwall you will notice a lot of stuff being blocked while you are shopping online. Feel free to contact the company and politely inform them that you refuse to give your credit card number to deceptive companies.
Don't waste your time with their web administrator, though. Marketing departments appear to be the most responsive.
- akamai.rules Akamai Malware Snort Rules
- These are identical to the Malware Snort Rules available below, with the exception that they only look for successful HTTP requests to malicious domains hosted by Akamai. To accomplish this feat you will need to add a variable to your snort.conf file. Read the remarks in the ruleset for details on how to perform this task.
- socialnet.rules Social Network Snort Rules
- Intended to detect the use of MySpace, Friendster and about 300 other social networking web sites.
- webproxy.rules Web Proxy Use Snort Rules
- Intended to detect the use of web-based proxies such as Anonymizer. I would like to key off of actual requests to the proxies but this is not possible since the various services use very different methods. Thus I took the easy way out and just key off of activity to the domains. The rules are still effective though since the only services currently available at most of the sites are proxies -- therefore should a rule be triggered you can be rather confident the intent of the source is to utilize said services.