[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking kazaa

On Mon, 7 Apr 2003 trishl@platform.co.za wrote:

> how would you deal with blocking client side applications that masquerade
> as other types of traffic? Such as clients that connect to remote hosts on
> ports like 80, 22, 53, etc that your site allows out as legitimate traffic.

Not without parsing packet contents, AFAIK.
I do it with a daemonized ngrep writing to a file and some scripts.
Somewhere in the beginning of a session you will see something like this
in the first 30 bytes of a packet:

| U 2003/04/05 10:48:20.483951 -> 10.x.y.z:2949
|   (...).6..'.KaZaA.
| U 2003/04/05 10:48:20.572957 -> 10.x.y.z:2949
|   (...).6..=.KaZaA.
| U 2003/04/05 10:48:20.945085 -> 10.x.y.z:2949
|   (...).6..#.KaZaA.
| U 2003/04/05 10:52:17.998809 10.x.y.z:2949 ->
|   '...).KaZaA.
| U 2003/04/05 10:52:18.139214 -> 10.x.y.z:2949
|   (...).6....KaZaA.

When you detect that, block that ip with:

  # route add -host $IP reject

or this iproute2 alternative:

  # ip route {add|del} {unreachable|prohibit|blackhole} $IP/32

There are some other, funkier packets that identify that type of thing, like:

| T 2003/04/05 10:44:05.082457 -> 10.x.y.z:1184 [AP]
|   HTTP/1.0 503 Service Unavailable.Retry-After: 300..X-Kazaa-Username: hscgog
|   o..X-Kazaa-Network: KaZaA..X-Kazaa-IP:
|   IP:

Note the "X-Kazaa-Username:", "X-Kazaa-Network:", "X-Kazaa-IP:",
"X-Kazaa-SupernodeIP:". Those ip-addresses are also good candidates.

Kazaa is just one of them. What about 'direct connect', 'gnutella', and
all the other bandwidth-waisting methods?

You may find some more info here:


You could do it painfully slow for them, without blocking, by using
trafic-shaping or throttling.

Good luck,

Reply to: