IP's getting through IPsec anyways

[thebeyonder]

I use PeerBlock, and it is constantly blocking IP s from these:

Quantcast
AppNexus
Limelight Networks
Level 3 Communications
Archer Communications
Tribal Fusion
Server Beach

I decided to use the IPsec .msc snap-in to block those IP ranges at the system level so PeerBlock doesn't even have to bother with them.

I know I set them up right, but they are not blocked. they keep hammering PeerBlock and it is annoying. I tested the function of IPsec by adding Google's IP range, that gets blocked. but none of the others do.

why not ??? totally baffled. got the IP's right, subnet masks right, all entries in IPsec's block list have the same parameters, but only Google gets blocked and the rest don't.

 

[thebeyonder]

anyone?

 

[Bubbaleone]

Open an elevated command prompt and run: ipconfig /flushdns, then exit the prompt. Download MalwareBytes and scan your PC, then allow it to remove any malware it detected. After that; go to C:\Windows\System32\drivers\etc, open the hosts file with Notepad, and look at the entries there; "127.0.0.1 localhost " is the default entry. Delete any other entries, then save hosts as read only. Reboot and test.


.

 

[thebeyonder]

malwarebytes didn't come up with anything, except where I turned off notifications for Windows Firewall

hosts file had "127.0.0.1 localhost" nothing else

flushed dns, restarted


IP's still getting through.

also I tried experimenting on one of the IP ranges in the IPsec block list, I changed the subnet mask from 255.255.255.0 to 255.255.0.0 to expand the range just to make sure. did not make a difference, still did not get blocked.

??????

 

[Bubbaleone]

Open hosts and copy/paste the following lines below 127.0.0.1 localhost", then save as read only:

127.0.0.1        markmonitor.com
127.0.0.1        quantcast.com
127.0.0.1        appnexus.com
127.0.0.1        limelightnetworks.com
127.0.0.1        level3.com
127.0.0.1        archercom.com
127.0.0.1        mediatemple.net
127.0.0.1        tucowsdomains.com
127.0.0.1        TRIBALFUSION.COM
127.0.0.1        exponential.com
127.0.0.1        SERVERBEACH.COM
127.0.0.1        peer1.net
127.0.0.1        tucowsdomains.com
127.0.0.1        ns1-188.akam.net
127.0.0.1        use4.akam.net
127.0.0.1        usw4.akam.net
127.0.0.1        ns1-95.akam.net
127.0.0.1        eur5.akam.net
127.0.0.1        asia9.akam.net
127.0.0.1        usc2.akam.net
127.0.0.1        usc1.akam.net
127.0.0.1        01.auth.nym2.appnexus.net
127.0.0.1        ns3.p28.dynect.net
127.0.0.1        ns1.p28.dynect.net
127.0.0.1        NS1.TRIBALFUSION.COM         
127.0.0.1        NS2.TRIBALFUSION.COM
127.0.0.1        NS1.PEER1.NET   
127.0.0.1        NS2.PEER1.NET         
127.0.0.1        204.11.108.11
127.0.0.1        204.11.108.12
127.0.0.1        ns4.p28.dynect.net
127.0.0.1        ns2.p28.dynect.net
127.0.0.1        01.auth.ams1.appnexus.net
127.0.0.1        01.auth.nym1.appnexus.net
127.0.0.1        01.auth.lax1.appnexus.net
127.0.0.1        ns1.l3.net
127.0.0.1        ns2.l3.net
127.0.0.1        NS1.SLICEHOST.NET   
127.0.0.1        NS3.SLICEHOST.NET   
127.0.0.1        NS2.SLICEHOST.NET

 

[thebeyonder]

didn't make a difference.

added an easy website to test:

127.0.0.1 accs-net.com

that did not get blocked. found out that often you have to add www. in front of it.

127.0.0.1 www.accs-net.com

did get blocked.

(google.com wasn't such a great website to test on, because the page got loaded, but when blocked it's the results that don't show up, etc too confusing for troubleshooting)

next, I focused on one particular entry.

you have quantcast.com in the list. however, the "Quantcast Corporation" that shows up in PeerBlock, has an IP of 64.94.107.28 (or similar). whois shows a reverse IP of pixel.quantserve.com, so I added these to the hosts file:

127.0.0.1 pixel.quantserve.com
127.0.0.1 www.pixel.quantserve.com

did not get blocked. still showed up in PeerBlock.

next thing, if it means anything, I noticed the entry for "Quantcast Corporation" (and the rest of the offenders) in PeerBlock are always sending from my IP to their IP, not receiving from their IP to my IP.

now what?

I think if we focus on trying to block Quantcast (in whatever form) it should make the solution more clearcut.

 

[theevilsharpie]

The IPSec settings aren't the appropriate place for IP ACLs. Use the Windows firewall if you want to block traffic in that manner.

 

[thebeyonder]

thank you, that does make sense.

turned on Windows Firewall, no effect. didn't see where to add IP ranges just programs.

using a personal firewall, same thing: no option for IP ranges just programs.

still would like to know what the problem is with IPsec and hosts file.

 

[theevilsharpie]

turned on Windows Firewall, no effect. didn't see where to add IP ranges just programs.

There's a Windows Firewall with Advanced Security MMC in Administrative Tools that will give you substantially more control over your firewall than the simple Windows control panel. (I'm going off of memory, so it might not be named exactly that.)

Based on your OP, it looks light you're trying to block outbound IP access. Bear in mind that you'll need to enable outbound blocking, as Windows will permit outbound access by default. Also, the Windows firewall doesn't order firewalls rules like most other products do, but deny rules take precedence over permit rules.

still would like to know what the problem is with IPsec and hosts file.

The hosts file only controls DNS resolution, and will be bypassed if IPs are being accessed directly. Using a custom hosts file is a common ad-blocking tactic, so it wouldn't surprise me if advertising/tracking traffic was using IP addresses directly.

The IPSec traffic filtering functionality was bolted on to Windows 2000 due to its lack of a built-in firewall, and carried over to XP/2003 due to their firewalls' lack of outbound filtering. Vista/Server 2008 onward has a full-fledged firewall, and using IPSec for IP blocking is no longer recommended, and may not even be supported anymore. In any case, constructing IPSec policies in Windows has always been incredibly clunky, and it doesn't surprise me that it's not working properly.

 

[thebeyonder]

that is what it's called, but available in Vista, Win7, and the server editions. I have XP, it's not there.

looks like I should be relying on some sort of firewall instead of IPsec or the hosts file.

PeerBlock sure does work. just want to block the major IP's (constant, repeat offenders) on some lower level, seems the right way to do it.

 

[DPOverLord]

were you ever able to get rid of appnexus I am always finding these in peerblock.

Sorry for opening an old thread