RE: [fw-wiz] Blocking Yahoo IM
From: Frank Darden (fdarden@locked.com)
Date: 11/21/02
- Next message: Luca Berra: "Re: [fw-wiz] Flat vs Segmented DMZ's"
- Previous message: Mikael Olsson: "Re: [fw-wiz] Port numbers for Peer to Peer file sharing apps."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Frank Darden" <fdarden@locked.com> To: <kadokev@msg.net>, "Kowsik Guruswamy" <kowsik@doublek.net> Date: Thu Nov 21 20:33:01 2002
I have found that Network based IDS systems that allow free form
expression signatures are the easiest way to block these sorts of rogue
protocols. In the case of Yahoo messenger, do a sniff on the
conversation. Youll find that there are unique signatures for the
packets in these conversations (I cant remember off the top of my head,
I think its 2nd offset, 2a02) At any rate, you can use NIDS to send
RST's when it sees the unique signature on the packets, thus breaking
the IM session. Sorry if this is cryptic, and hopefully this will help
steer you in the right direction.
Frank
=======================================
Frank Darden
Chief Technology Officer
Mission Critical Systems
3320 NW 53rd St. Suite 202
Fort Lauderdale, FL 33309
Phone (954)766-2550 x203
Fax (954-766-2580
AIM/MSN FishinCritical
===========================================
-----Original Message-----
From: kadokev@msg.net [mailto:kadokev@msg.net]
Sent: Thursday, November 21, 2002 2:34 AM
To: Kowsik Guruswamy
Cc: firewall-wizards@nfr.net
Subject: Re: [fw-wiz] Blocking Yahoo IM
AIM is still the hands-down winner for getting past firewalls by
tunnelling
in all sorts of different protocols (their FTP tricks are particularly
interesting), but Yahoo! gets an honorable mention for their ugly
implementation of HTTP 'polling' for IM, and the ugly attempts the
client
uses to tunnel their proprietary YMSG protocol through SMTP.
I've been playing with writing a fake YMSG server to try to get the
clients
to believe they are connected, with very little success. Most of the
published reverse-engineering covers the obsolete V9 protocol.
> You might need to use dst IPs for blocking. Yahoo! is pretty nasty in
that
> they tunnel IM traffic through finger, discard, chargen, smtp and even
> http...
>
> Ugly, ugly...
FYI, Yahoo! recently started pushing the new "Messenger 5.5" client to
existing users. The new version changes the order in which the various
ports are attempted, and is more insistent at trying different ports and
destination IPs.
I have started to block their servers by IP network, so far I've found a
half dozen different subnets (ranging from a couple of /24's to a /19),
all used for the messenger servers.
If you think you are successfully blocking Yahoo Messenger, by protocol
or
by destination IP, you might want to take another look.
Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Luca Berra: "Re: [fw-wiz] Flat vs Segmented DMZ's"
- Previous message: Mikael Olsson: "Re: [fw-wiz] Port numbers for Peer to Peer file sharing apps."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
