Re: blocking kazaa
On Mon, 7 Apr 2003 trishl@platform.co.za wrote:
> how would you deal with blocking client side applications that masquerade
> as other types of traffic? Such as clients that connect to remote hosts on
> ports like 80, 22, 53, etc that your site allows out as legitimate traffic.
Not without parsing packet contents, AFAIK.
I do it with a daemonized ngrep writing to a file and some scripts.
Somewhere in the beginning of a session you will see something like this
in the first 30 bytes of a packet:
,----
| U 2003/04/05 10:48:20.483951 24.185.207.209:2407 -> 10.x.y.z:2949
| (...).6..'.KaZaA.
|
| U 2003/04/05 10:48:20.572957 24.141.10.3:3769 -> 10.x.y.z:2949
| (...).6..=.KaZaA.
|
| U 2003/04/05 10:48:20.945085 68.32.55.2:1984 -> 10.x.y.z:2949
| (...).6..#.KaZaA.
|
| U 2003/04/05 10:52:17.998809 10.x.y.z:2949 -> 24.99.63.86:2431
| '...).KaZaA.
|
| U 2003/04/05 10:52:18.139214 149.159.82.29:1122 -> 10.x.y.z:2949
| (...).6....KaZaA.
`----
When you detect that, block that ip with:
# route add -host $IP reject
or this iproute2 alternative:
# ip route {add|del} {unreachable|prohibit|blackhole} $IP/32
There are some other, funkier packets that identify that type of thing, like:
,----
| T 2003/04/05 10:44:05.082457 211.209.0.60:2455 -> 10.x.y.z:1184 [AP]
| HTTP/1.0 503 Service Unavailable.Retry-After: 300..X-Kazaa-Username: hscgog
| o..X-Kazaa-Network: KaZaA..X-Kazaa-IP: 211.209.0.60:2455..X-Kazaa-Supernode
| IP: 211.186.74.91:1439...
`----
Note the "X-Kazaa-Username:", "X-Kazaa-Network:", "X-Kazaa-IP:",
"X-Kazaa-SupernodeIP:". Those ip-addresses are also good candidates.
Kazaa is just one of them. What about 'direct connect', 'gnutella', and
all the other bandwidth-waisting methods?
You may find some more info here:
http://www.ncmag.com/2001_09/pdf91/gnutella91.pdf
http://www.efarm-project.net/data/docs/Protocol_v1.0.pdf
You could do it painfully slow for them, without blocking, by using
trafic-shaping or throttling.
Good luck,
Cristian
Reply to: