[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: KaZaA/Morpheus and other file sharing

On Mon, 2001-10-15 at 02:42, Adam Lydick wrote:
> On Sun, Oct 14, 2001 at 02:41:57PM +0200, Christian Wendt wrote:
> > I think about the most "intelligent" way to filter all those out would
> > be protocoll matching...
> > 
> > with iptables it's possible to search packets for strings... (not in the
> > kernel, needs patch-o-matic) (I'd advice to only search in SYN
> > packets... could be CPU Hog)
> I've never seen a SYN packet that contained data, and it was my understanding
> that they generally (always?) do not. Correct me if I am mistaken.
Yes, you're right... - that does create other flaws, as well as i
> Also, this will be defeated by encrypted protocols -- if users start to tunnel
> through SSL, you don't get to see any of the protocol, and cannot perform
> matching.

> > (Gnutella seems to use "GNUTELLA CONNECT/0.4", e.g.)
> That would work for existing protocols, but doesn't help vs. newer and more
> cleverly hidden protocols. As soon as you start blocking in this manner,
> P2P apps will adapt as needed.
yeah, same with the port-blocking featured in the other posts...
- would be defeated by ssl or altering client 
it would not be defeated by altering port or random-port in client.

Also, as you corrected me about my failure with SYN - it would block
legitimate traffic... e.g. any email containing the string "GNUTELLA
CONNECT/0.4" - in the worst case only a single packet out of a bigger
stream, leading to retransmissions that 'll never suceed... 
No Good that way. Definite 'bad'.

best thing to do: Educate users?

+no-incoming-connection-(on-ports)    - so one wouldnt be able to offer
files to other firewalled users...

> -- Adam Lydick
 Christian Wendt

Reply to: