Akamai or who is watching your every move on Internet and how to "drop" them.

1. What is going on

If you've been using Internet on a regular basis during last decade (say from year 2k) no doubt you have noticed that it's become *slower* during recent years. Getting through to the data takes dozens of seconds and in some cases one can not get connected in several minutes even though the server is alive and up and running. And all this happens not in 28 KBit/s modem environment but in at least 3G, Turbo-3G (HSPA) or even 4G networks (in Scandinavia) with speeds 1 MBit/s and higher. Why is that?

Let's make an experiment: turn off images and JavaScript in a browser (to minimize connectivity) and try connecting to some web sites.

To see where exactly my browser is connecting to I will use utility called netstat with following keys:
t - for tcp sockets, a - all sockets, p - for PID/program, e - extended, c - continuous listing, n - numerical IP addresses.

First let us try connecting to popular among people working for big companies LinkedIn:

$ netstat -tapecn

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          5872        1665/exim4      
tcp        0      0 192.168.42.14:62570     216.52.242.80:443       ESTABLISHED 1000       532490      2310/firefox    
tcp        0      0 192.168.42.14:11287     2.23.145.244:443        ESTABLISHED 1000       533061      2310/firefox    
tcp        0      0 192.168.42.14:11288     2.23.145.244:443        ESTABLISHED 1000       533062      2310/firefox    
tcp        0      0 192.168.42.14:11284     2.23.145.244:443        ESTABLISHED 1000       533052      2310/firefox    
tcp        0      0 192.168.42.14:31136     75.126.153.214:80       TIME_WAIT   0          0           -               
tcp        0      0 192.168.42.14:48286     173.194.32.48:80        TIME_WAIT   0          0           -               
tcp        0      0 192.168.42.14:11286     2.23.145.244:443        ESTABLISHED 1000       533054      2310/firefox    
tcp        0      0 192.168.42.14:11285     2.23.145.244:443        ESTABLISHED 1000       533053      2310/firefox    
tcp        0      0 192.168.42.14:16959     173.194.32.51:80        TIME_WAIT   0          0           -               
tcp        0      0 192.168.42.14:14222     173.194.32.60:80        TIME_WAIT   0          0           -               
tcp     3675      0 192.168.42.14:62571     216.52.242.80:443       ESTABLISHED 1000       532491      2310/firefox    
tcp        0      0 192.168.42.14:16315     80.239.254.97:80        TIME_WAIT   0          0           -               
^C
$

216.52.242.80 is IP address of LinkedIn Corporation, but who are the owners of other IP addresses (2.23.145.244, 80.239.254.97, 173.194.32.51)?

Let's find out using whois:

$ whois 2.23.145.244
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '2.23.144.0 - 2.23.159.255'

inetnum:         2.23.144.0 - 2.23.159.255
netname:         AKAMAI-PA
descr:           Akamai Technologies
country:         EU
admin-c:         NARA1-RIPE
tech-c:          NARA1-RIPE
status:          ASSIGNED PA
mnt-by:          AKAM1-RIPE-MNT
mnt-routes:      AKAM1-RIPE-MNT
source:          RIPE # Filtered

role:           Network Architecture Role Account
address:        Akamai Technologies
address:        8 Cambridge Center
address:        Cambridge, MA 02142
phone:          +1-617-938-3130
abuse-mailbox:  abuse@akamai.com
admin-c:        NF1714-RIPE
admin-c:        JP1944-RIPE
tech-c:         NF1714-RIPE
tech-c:         JP1944-RIPE
tech-c:         APB15-RIPE
tech-c:         CKAK-RIPE
tech-c:         PWG8-RIPE
tech-c:         MH7314-RIPE
tech-c:         TBAK-RIPE
nic-hdl:        NARA1-RIPE
mnt-by:         AKAM1-RIPE-MNT
source:         RIPE # Filtered

% Information related to '2.16.0.0/13as31377'

route:           2.16.0.0/13
descr:           Akamai Technologies
origin:          as31377
mnt-by:          AKAM1-RIPE-MNT
mnt-routes:      AKAM1-RIPE-MNT
mnt-routes:      AS6762-MNT {2.18.80.0/20^+, 2.23.112.0/20^+, 2.16.220.0/22, 2.16.178.0/23^+}
mnt-routes:      CW-EUROPE-GSOC { 2.16.180.0/23^+, 2.21.228.0/22^+, 2.21.232.0/22^+, 2.22.44.0/22^+, 2.22.242.0/23^+, 2.22.248.0/23^+, 2.23.0.0/20^+, 2.23.16.0/20^+, 2.23.32.0/20^+, 2.23.48.0/20^+, 2.23.160.0/20^+, 2.23.192.0/20^+, 2.23.208.0/20^+, 2.23.236.0/23^+ }
source:          RIPE # Filtered

% Information related to '2.23.144.0/20AS16625'

route:           2.23.144.0/20
descr:           Akamai Technologies
origin:          AS16625
mnt-by:          AKAM1-RIPE-MNT
source:          RIPE # Filtered
$

Ok, so it is some other organization, Akamai Technologies, which is connected to my machine from IP address 2.23.145.244, using several ports. Moreover, IP address 80.239.254.97 also belongs to them. Google is behind the IP 173.194.32.51.

Even though I am using LinkedIn login page URL it takes more than 10 seconds to see the page.

But! If *one second* after hitting "Enter" I go offline (using Alt-F-W on Firefox) I will see the login page immediately!

Which means web page is delivered alright (since it is simple login/password two fields HTML, no flash),
but someone needs to do some sort of "processing" (your IP address, location, software, etc).
This is obviously what they call "optimization".

Let's now try connecting to Yahoo mail service:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp      907      0 192.168.42.116:10829    217.146.187.60:443      ESTABLISHED 1000       27123       2328/firefox    
tcp        0      0 192.168.42.116:47766    2.23.141.227:443        ESTABLISHED 1000       27047       2328/firefox    
tcp        0      0 192.168.42.116:10828    217.146.187.60:443      ESTABLISHED 1000       27084       2328/firefox    
tcp        0      0 192.168.42.116:47769    2.23.141.227:443        ESTABLISHED 1000       27050       2328/firefox    
tcp        0      0 192.168.42.116:47765    2.23.141.227:443        ESTABLISHED 1000       27046       2328/firefox    
tcp        0      0 192.168.42.116:47767    2.23.141.227:443        ESTABLISHED 1000       27048       2328/firefox    
tcp        0      0 192.168.42.116:2690     173.204.115.235:80      ESTABLISHED 1000       27137       2328/firefox    
tcp        0      0 192.168.42.116:47768    2.23.141.227:443        ESTABLISHED 1000       27049       2328/firefox    
^C
$

IP 217.146.187.60 belongs to Yahoo Europe Operations, but Akamai (IP 2.23.141.227) got connected to my machine again without invitation using several ports! IP 173.204.115.235 is GoGrid LLC from San Francisco, CA.

Now let's check what happens when I connect to my Internet Service Provider (Surftown IP 212.97.132.34):

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp        0      1 192.168.42.116:35143    213.150.61.61:443       SYN_SENT    1000       33752       2328/firefox    
tcp        0    198 192.168.42.116:37072    212.97.132.34:443       ESTABLISHED 1000       32804       2328/firefox    
tcp        0      1 192.168.42.116:47779    2.23.141.227:443        SYN_SENT    1000       33802       2328/firefox    
tcp        0      1 192.168.42.116:35145    213.150.61.61:443       SYN_SENT    1000       33801       2328/firefox    
tcp        0      0 192.168.42.116:37071    212.97.132.34:443       ESTABLISHED 1000       32782       2328/firefox    
tcp        0      1 192.168.42.116:47777    2.23.141.227:443        SYN_SENT    1000       33753       2328/firefox    
^C
$ 

Same story: apart from connection to my ISP and their broadband partners (213.150.61.61, Tune Kabelnet, Kopenhagen, DK), same Akamai tries hard to get connected to my box. Let's try and find out who are they.

2. What/who is Akamai?

According to Wikipedia article Akamai Technologies was founded in 1998 by two individuals:

Daniel M. Lewin, who was raised in Jerusalem and served several years in special forces units of Israel Defense Forces, before moving to Cambridge, MA, USA to study at MIT. And his adviser, Frank Thomson Leighton, professor of Applied Math at MIT. Brief biography page at MIT CSAIL says that from 2003 to 2005 professor Leighton served as the Chairman of President's IT Advisory Committee, subcommittee on Cyber Security. In that capacity he issued a report entitled "Cyber Security: A Crisis in Prioritization".

In a nutshell: this is the company founded by two cyber security professionals heavily involved with Israel and USA governments.

How they do it? Akamai plays the role of "middleware" delivering content to its customers who need browsing by mirroring content, for example complete site HTML/CSS/JavaScript with its audio, graphics, etc. So when you need content from a web site it is likely to be delivered from Akamai's IP addresses/servers, NOT from customer servers you expect.

Another trick is that they have peer-to-peer solution similar to BitTorrent which is based upon download manager delivering content to/from other user's computers.

Usually it gets installed without much ado when users of *that* operating system upgrade their Flash player (described by Steve Jobs as "can of worms"), PDF reader or some other component of (closed source) Adobe Creative Suite (more on why Steve Jobs did not like Adobe and other proprietary software here).

Looking at the output of "whois 2.23.145.244" you may have noticed the line "route: 2.16.0.0/13". This is CIDR or Classless Inter-Domain Routing, method for allocating IP addresses and routing IP packets. Record like "a.b.0.0/13" essentially means that there could be 524,288 IP addresses/hosts allocated for this customer. And it is only one of CIDRs which belong to Akamai. First ouput of netstat above contains another set of Akamai's IP addresses (80.239.224.0/19) with 8,192 more hosts. They also own several more CIDRs e.g. 23.32.0.0/11 with 2,097,152 IP addresses!

Apart from operating several Internet domains (akam.net, akamai.com, akamai.net, akamaitech.net) they also buy blocks of IP addresses from major communication carriers like TeliaSonera (62.115.0.0/16, 80.239.128.0/19, 80.239.160.0/19, 80.239.192.0/19, etc):

geo@fermat:~$ whois 80.239.178.83
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '80.239.178.0 - 80.239.178.127'

inetnum:         80.239.178.0 - 80.239.178.127
netname:         AKAMAI
descr:           Akamai International BV
org:             ORG-AIB6-RIPE
country:         EU
admin-c:         RP8999-RIPE
tech-c:          RP8999-RIPE
status:          ASSIGNED PA
mnt-by:          TELIANET-LIR
source:          RIPE # Filtered

organisation:   ORG-AIB6-RIPE
org-name:       Akamai International B.V.
org-type:       OTHER
descr:          The Trusted Choice for Online Business
address:        8 Cambridge Center
address:        MA02412 Cambridge
address:        United States
phone:          +1 6174443007
admin-c:        NARA1-RIPE
tech-c:         NARA1-RIPE
mnt-by:         TELIANET-LIR
mnt-ref:        TELIANET-LIR
source:         RIPE # Filtered

person:          Roann Pacewicz
address:         Akamai International IV
address:         8 Cambridge Center
address:         02140 Cambridge, MA
address:         US
phone:           +6174442828
nic-hdl:         RP8999-RIPE
mnt-by:          TELIANET-LIR
source:          RIPE # Filtered

% Information related to '80.239.160.0/19AS1299'

route:          80.239.160.0/19
descr:          TELIANET-BLK
remarks:        Abuse issues should be reported
remarks:        to abuse@telia.com
origin:         AS1299
mnt-by:         TELIANET-RR
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.8.13 (WHOIS2)

geo@fermat:~$

If your ISP is not Telia but some other network operator you are likely to see different IP ranges used by Akamai.

What is important here is that they can dynamically change range of IPs used for their spider-activities!

One thing is clear - this is huge network spider spread across more than 70 countries.

Google, whose founders have same roots as Lewin, is also involved into this USA/Israel government spying activities:
according to Intellipedia article on Wikipedia Google servers and software enables US spy agencies CIA and NGA integration of social networks into their agents daily work habits.

Who are their customers? First and foremost - multimedia sites (Apple iTunes, Sony), social networks (Facebook, Twitter, LinkedIn, etc), global news providers like BBC and Yahoo, government (US Department of Defense, etc).
But as we noticed small ISP/hosting providers are also targeted.

What does it mean for you?

Each and every time you connect to your public domain email, pay bills via your Internet bank(!), comment on social networks, do some sort of download (iTunes, BitTorrent files, etc), they want to know about it!

"Big bro" is really working hard to monitor each and every move you make on Internet.

3. What can be done?

Well, let's see. Linux has packet filtering, Network Address Translation tool called iptables.

Which is a user space tool that works together with Linux kernel modules ip_tables and iptable_filter developed by Netfilter Core Team. Let's use them!


 #Akamai Italy
 iptables -A INPUT -s 88.221.144.0/21 -j DROP
 iptables -A OUTPUT -s 88.221.144.0/21 -j DROP

 #GarchingBeiMunchen,DE 
 iptables -A INPUT -s 88.221.208.0/24 -j DROP

 #Krakow,PL
 iptables -A INPUT -s 88.221.209.0/24 -j DROP
 
 iptables -A INPUT -s 88.221.209.0/24 -j DROP
 iptables -A INPUT -s 95.101.132.0/22 -j DROP
 iptables -A INPUT -s 2.16.0.0/13 -j DROP
 iptables -A INPUT -s 2.20.72.0/22 -j DROP
 iptables -A INPUT -s 2.23.144.0/20 -j DROP
 iptables -A INPUT -s 23.0.0.0/12 -j DROP
 iptables -A INPUT -s 23.32.0.0/11 -j DROP 
 iptables -A INPUT -s 23.64.0.0/14 -j DROP
 iptables -A INPUT -s 60.254.128.0/18 -j DROP
 iptables -A INPUT -s 62.115.0.0/16 -j DROP
 iptables -A INPUT -s 72.246.0.0/15 -j DROP
 iptables -A INPUT -s 80.239.128.0/19 -j DROP
 iptables -A INPUT -s 80.239.160.0/19 -j DROP
 iptables -A INPUT -s 80.239.192.0/19 -j DROP
 iptables -A INPUT -s 80.239.224.0/19 -j DROP
 iptables -A INPUT -s 84.53.168.0/22 -j DROP
 iptables -A INPUT -s 88.221.176.0/21 -j DROP
 iptables -A INPUT -s 96.6.0.0/15 -j DROP
 iptables -A INPUT -s 96.16.0.0/15 -j DROP
 iptables -A INPUT -s 217.208.0.0/13 -j DROP
 iptables -A INPUT -s 74.125.0.0/16 -j DROP
 iptables -A OUTPUT -s 74.125.0.0/16 -j DROP
 iptables -A INPUT -s 173.194.0.0/16 -j DROP
 iptables -A OUTPUT -s 173.194.0.0/16 -j DROP
 iptables -A INPUT -s 209.85.128.0/17 -j DROP
 iptables -A OUTPUT -s 209.85.128.0/17 -j DROP
 iptables -A INPUT -s 136.32.0.0/11 -j DROP
 iptables -A INPUT -s 104.64.0.0/10 -j DROP

 #Microsoft

 iptables -A INPUT -s 70.37.128.0/18 -j DROP
 iptables -A INPUT -s 70.37.0.0/17 -j DROP

 iptables -A INPUT -s 52.112.0.0/14 -j DROP
 iptables -A INPUT -s 52.96.0.0/12 -j DROP
 iptables -A INPUT -s 13.96.0.0/13 -j DROP
 iptables -A INPUT -s 13.104.0.0/14 -j DROP

 iptables -A INPUT -s 23.96.0.0/13-j DROP

 iptables -A INPUT -s 40.74.0.0/15 -j DROP
 iptables -A INPUT -s 40.76.0.0/14 -j DROP
 iptables -A INPUT -s 40.80.0.0/12 -j DROP
 iptables -A INPUT -s 40.96.0.0/12 -j DROP
 iptables -A INPUT -s 40.112.0.0/13 -j DROP
 iptables -A INPUT -s 40.120.0.0/14 -j DROP

 iptables -A INPUT -s 52.145.0.0/16 -j DROP
 iptables -A INPUT -s 52.146.0.0/15 -j DROP
 iptables -A INPUT -s 52.148.0.0/14 -j DROP
 iptables -A INPUT -s 52.152.0.0/13-j DROP
 iptables -A INPUT -s 52.160.0.0/11 -j DROP
 iptables -A INPUT -s 52.224.0.0/11 -j DROP 

 iptables -A INPUT -s 104.40.0.0/13 -j DROP

 iptables -A INPUT -s 131.107.0.0/16 -j DROP
 iptables -A INPUT -s 131.253.21.0/24 -j DROP
 iptables -A INPUT -s 131.253.22.0/23 -j DROP
 iptables -A INPUT -s 131.253.24.0/21 -j DROP
 iptables -A INPUT -s 131.253.32.0/20 -j DROP

 iptables -A INPUT -s 167.220.0.0/17 -j DROP
 iptables -A INPUT -s 167.220.128.0/18 -j DROP
 iptables -A INPUT -s 167.220.192.0/19 -j DROP

 iptables -A INPUT -s 168.61.0.0/16 -j DROP
 iptables -A INPUT -s 168.62.0.0/15 -j DROP

 iptables -A INPUT -s 207.46.0.0/16 -j DROP

 #AMAZON-2011L hacking network
 iptables -A INPUT -s 54.224.0.0/12 -j DROP
 iptables -A OUTPUT -s 54.224.0.0/12 -j DROP

 #AKAMAI on Tele2/SE
 iptables -A INPUT -s 212.247.20.0/25 -j DROP

 #Verisign
 iptables -A INPUT -s 72.13.32.0/19 -j DROP
 iptables -A INPUT -s 69.58.176.0/20 -j DROP

 iptables-save
 iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  ec2-54-224-0-0.compute-1.amazonaws.com/12  anywhere               
DROP       all  --  2.16.0.0/13          anywhere            
DROP       all  --  2.23.144.0/20        anywhere
DROP       all  --  a23-0-0-0.deploy.akamaitechnologies.com/12  anywhere        
DROP       all  --  a23-32-0-0.deploy.akamaitechnologies.com/11  anywhere            
DROP       all  --  a23-64-0-0.deploy.akamaitechnologies.com/14  anywhere
DROP       all  --  62.115.0.0/16      anywhere
DROP       all  --  a72-246-0-0.deploy.akamaitechnologies.com/15  anywhere
DROP       all  --  80.239.128.0/19      anywhere
DROP       all  --  80.239.160.0/19      anywhere
DROP       all  --  80.239.192.0/19      anywhere
DROP       all  --  80-239-224-0.customer.teliacarrier.com/19  anywhere
DROP       all  --  84.53.168.0/22       anywhere
DROP       all  --  a88-221-176-0.deploy.akamaitechnologies.com/21  anywhere
DROP       all  --  a96-6-0-0.deploy.akamaitechnologies.com/15  anywhere
DROP       all  --  a96-16-0-0.deploy.akamaitechnologies.com/15  anywhere            
DROP       all  --  217.208.0.0/13       anywhere
DROP       all  --  any-in-0000.1e100.net/16       anywhere         
DROP       all  --  173.194.0.0/16       anywhere 
DROP       all  --  209.85.128.0/17       anywhere
DROP       all  --  a104-64-0-0.deploy.static.akamaitechnologies.com/10  anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  ec2-54-224-0-0.compute-1.amazonaws.com/12  anywhere
DROP       all  --  host0.mhp-fo.brn1.verisign.com/19  anywhere
DROP       all  --  any-in-0000.1e100.net/16       anywhere
DROP       all  --  173.194.0.0/16       anywhere
DROP       all  --  209.85.128.0/17       anywhere
#
Essentially I added (-A) new rules which instruct those two kernel modules to drop (-DROP) all packets that originate from IP addresses given by CIDR notation (e.g. 96.16.0.0/15). You need to be root (#) on the machine to be able to do that.

Why do I need two rules (for INPUT and OUTPUT chains) in case of Google (74.125.0.0/16, 173.194.0.0/16 and 209.85.128.0/17)?

Very good question!

Android software is designed in such a way that when you stop some service using "Manage applications" or "Running services" it only stops corresponding Java application (Activity), but Linux process is still running!
The only reliable way to remove application is by "rooting" device.

Calendar application (com.htc.bgp), Facebook, and "Google Services" are prime examples: you stop Calendar as well as "Calendar Storage" and "Calendar Widget" clearing all data and it disappears from "Running applications". Then you start your browser (either on droid device or on Linux notebook using droid as a modem) and after a second or two you see that it appears again among "Running services"!
More on why Android Calendar connects to Google with Google IP ranges here.

List of other active members (with IP ranges and basic methods of fighting them!) of Bolsheviks International CRIMINAL GANG is available on web page "Catch Amazon Hacker!" of this site.

Exposing their dirty criminal activities to the general public (as well as to Police force in democratic countries!) is one of the BEST methods of keeping Bolsheviks VIRUS under control!

So if you suspect that there's Google device or Akamai "spider-ware" installed on your network behind iptables firewall it might be a good idea to add matching OUTPUT rules for EVERY iptables INPUT rule to make sure that they will not be able to send packets from your network to their IP addresses.

To avoid entering all those iptables rules after each reboot you can add them (without iptables -L) to the end of the file /etc/init.d/networking on Debian (and some of its derivatives like Mint, Xandros, etc.), right before "exit 0" line. As a result you should see those lines appearing during Linux boot.

Ubuntu (popular clone of Debian) has a solution of its own - ufw or Uncomplicated FireWall, which is also easy to use.

FreeBSD (and its commercial overpriced clone Mac OS X) has similar solution called ipfirewall.

To monitor your connections you have to install net-tools package (on Debian), netstat is part of it and can be used from regular user account.

4. After blocking Akamai and Google:

Let's see what results we get after adding new rules in iptables.

Connecting to LinkedIn:

$ netstat -tapecn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp        0      0 192.168.42.116:48645    199.7.50.72:80          TIME_WAIT   0          0           -               
tcp        0      1 192.168.42.116:40927    2.23.145.244:443        SYN_SENT    1000       153731      2522/firefox    
tcp        0      1 192.168.42.116:40928    2.23.145.244:443        SYN_SENT    1000       153799      2522/firefox    
tcp        0      1 192.168.42.116:40926    2.23.145.244:443        SYN_SENT    1000       153730      2522/firefox    
tcp        0      1 192.168.42.116:40924    2.23.145.244:443        SYN_SENT    1000       153726      2522/firefox    
tcp        0      1 192.168.42.116:40925    2.23.145.244:443        SYN_SENT    1000       153727      2522/firefox    
tcp        0      1 192.168.42.116:40932    2.23.145.244:443        SYN_SENT    1000       153803      2522/firefox    
tcp        0      1 192.168.42.116:40931    2.23.145.244:443        SYN_SENT    1000       153802      2522/firefox    
tcp        0      1 192.168.42.116:40923    2.23.145.244:443        SYN_SENT    1000       153725      2522/firefox    
tcp        0      1 192.168.42.116:40930    2.23.145.244:443        SYN_SENT    1000       153801      2522/firefox    
tcp        0      1 192.168.42.116:40929    2.23.145.244:443        SYN_SENT    1000       153800      2522/firefox    
tcp        0      0 192.168.42.116:39822    216.52.242.80:443       ESTABLISHED 1000       151724      2522/firefox    
^C
$ 

Connecting to Yahoo mail:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp      907      0 192.168.42.116:35069    217.12.8.31:443         ESTABLISHED 1000       66935       2328/firefox    
tcp        0      1 192.168.42.116:15352    2.23.141.227:443        SYN_SENT    1000       66836       2328/firefox    
tcp        0      1 192.168.42.116:15356    2.23.141.227:443        SYN_SENT    1000       66840       2328/firefox    
tcp        0      1 192.168.42.116:15362    2.23.141.227:443        SYN_SENT    1000       66934       2328/firefox    
tcp        0      1 192.168.42.116:15358    2.23.141.227:443        SYN_SENT    1000       66930       2328/firefox    
tcp        0      1 192.168.42.116:15354    2.23.141.227:443        SYN_SENT    1000       66838       2328/firefox    
tcp        0      1 192.168.42.116:15360    2.23.141.227:443        SYN_SENT    1000       66932       2328/firefox    
tcp        0      1 192.168.42.116:15361    2.23.141.227:443        SYN_SENT    1000       66933       2328/firefox    
tcp        0      1 192.168.42.116:15355    2.23.141.227:443        SYN_SENT    1000       66839       2328/firefox    
tcp        0      1 192.168.42.116:15353    2.23.141.227:443        SYN_SENT    1000       66837       2328/firefox    
tcp        0      1 192.168.42.116:15359    2.23.141.227:443        SYN_SENT    1000       66931       2328/firefox    
^C
$

Connecting to ISP (Surftown):

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp        0      1 192.168.42.116:57757    2.23.141.227:443        SYN_SENT    1000       143480      2522/firefox    
tcp        0      0 192.168.42.116:2860     212.97.132.34:443       ESTABLISHED 1000       142695      2522/firefox    
tcp        0      0 192.168.42.116:36685    213.150.61.61:443       ESTABLISHED 1000       143452      2522/firefox    
tcp      145      0 192.168.42.116:2865     212.97.132.34:443       ESTABLISHED 1000       143479      2522/firefox    
tcp        0      1 192.168.42.116:57754    2.23.141.227:443        SYN_SENT    1000       143453      2522/firefox    
tcp        0      0 192.168.42.116:2861     212.97.132.34:443       ESTABLISHED 1000       143397      2522/firefox    
tcp     3292      0 192.168.42.116:36687    213.150.61.61:443       ESTABLISHED 1000       143478      2522/firefox    
^C
geo@fermat:~$

SYN_SENT means that first step of establishing TCP connection - send SYN-chronization packet is there, but since we drop those packets without ACK-nowledging them no connection is established.

Now you can block any unwanted visitor (like Facebook) from accessing your box!
To (temporarily) remove existing rule from iptables simply replace -A with -D (delete).

But first and foremost you have to monitor your connections using netstat or more advanced packet inspection tool like tcpdump, because they have huge pool of IP addresses and can switch between them anytime!

5. What else?

Well, if you are a geek or top Embedded systems professional capable of cross-compiling, installing and tuning packages like iptables for Droids (very few IT people I know personally can claim that) possibly you do not have to read this.

For the rest of humanity here's few recommendations:

  1. Stop using mobile devices with browsers (Droids, iPhones, surfplates, etc). It is impossible to manage your connections and data security (SIM/SD) from such devices without notebook.

  2. Get yourself regular inexpensive phone *without a browser*. There are some models still on the market with camera, Java (Sun Microsystems original J2ME) and radio.

  3. Avoid sites/operators involved with Akamai "spider-network". Do browsing only from secure/tuned notebook/desktop or from public computers.

  4. Move to Linux or Free/NetBSD. Stop buying/using *that* ugly operating system pre-installed on every notebook because of corruption, not because of its quality. Unix/Linux may take some time to master (learning curve), but benefits of Unix/Open Source systems are HUGE: security, flexibility, high speed, low cost, fun.
    Do not allow THEM to dictate which OS should run on YOUR notebook!

  5. Avoid Google services, APIs, devices. They had already tried many times (see my Blog for details) to hack into my site but USA police (does it exist?) did nothing so far to stop cyber Bolsheviks (esp from Microsoft & Google) criminal activities.

    Most recent attempts came on 2 October 2018 from IP 35.229.249.135 and on 12 March 2017 from IP 52.168.175.163 (hiding as Googlebot/2.1!) and on 14 July 2018 (13.92.229.58, Microsoft and 2.20.73.35, Akamai EU). Simply can not waste my time adding more info from log files about their idiotic/criminal hacking into European web sites.

    In many cases Bolshevik hackers from USA use their European, Indian and Japanese affiliates for attacks.

    Cogentco/PSINet (149.14.125.50), 1&1 Internet (108.175.11.230), Contabo Gmbh (213.136.89.100), GoDaddy.com (198.12.152.136), Linode (173.230.149.246), Amazon Technologies (54.93.71.192) to name just a few MOST active in hacking on European sites!

    It appears that Bolsheviks who jumped onto the United States in early 1970s have already turned USA into USSR2, with MS Windows playing the role of CPSU (Communist Party of Soviet Union).

    As you know, it became IMPOSSIBLE to buy new PC without MS Windows installed on it!
    All this in spite of the fact that to test PC hardware ANY Linux distribution CD should be enough: you just insert Linux live CD into the PC drive and select "Check Hardware" before installing your favorite OS brand/version!

    Yet they want us to wait and see the ANECDOTAL message "Please do not turn computer off, Windows is configuring..." for many minutes!

    READ LATEST NEWS on Google Android Calendar and FACEBOOK "practices", playing the role of "information gathering" tools of North American Politburo.

    The Virus of Bolshevism is spreading faster than efforts to clean up its disastrous results: Marx, Engels, Lenin, Sverdlov, Bolsheviks streets in EVERY town in Russia and their Cheka butchers are still sitting in Kremlin.

    WHY should Europeans report ALL their banking (and other) activities to USA/Israel spy agencies??? And WHY should tax payers money be wasted on supporting the SLOWEST and most dangerous "black box" OS ("can of worms", using S.Jobs term) on this planet?

    May be it is better to invest into Open Source, COMMUNITY driven, reliable and speedy software development? Apple's success with Open Source driven WebKit browser engine as well as Free BSD clearly confirms the validity of the idea!

    European Commission should recommend ALL Public sector organizations/communes in Europe follow the example of Muenchen and Valencia and make transition to Linux, Open Source Office products and save Millions of tax payer money! This should also increase security of European networks.

    Also European Commission should PROHIBIT European banks from using USA/Israel spy networks. Such measures should also increase speed of European networks, considerably slowed by those spy networks and *.googleapis.com, google-analytics.com, doubleclick.net.

    If you must use Java/Linux platform (e.g. you are a developer), root your device right after unpacking it and remove Droid Calendar, Google Services, Gmail, Facebook, and the rest of that "spider-ware", use Open Source code of Android like CyanogenMod and other companies developing on Java/Linux platform. If you do not like their "noisy" advertizing, you may click "Report this ad" and then select "Irrelevant" or "Inappropriate".

    Police forces in EU countries urgently need to enhance their capability to fight Internet criminals!


  6. Read books like these: "Dog's heart" by M.Bulgakov and "We" by Y.Zamiatin, who new what Bolsheviks were/ARE all about.

  7. Get wise, go to church!

P.S. after changing SIM card from Telia to Telenor I was pleasantly surprised that Akamai presense in netstat output became far less noticeable. Which essentially confirms basic fact most hackers and IT security professionals know: to be able to do "sniffing", "session hijacking" and other things one must first get access to the target network.

By selling IP ranges to USA/Israel spy networks operators like Telia and Tele2 basically "sell" their customers privacy and security. Which will NOT go unnoticed!

Copyright 2018 George Yury Matveev All rights reserved.