Re: can Hopster traffic be blocked?

From: whiplash (whiplash_at_despammed.com)
Date: 08/05/04

  • Next message: Pablo Gietz: "Re: can Hopster traffic be blocked?"
    Date: Thu, 05 Aug 2004 01:22:35 +0200
    To: focus-linux@securityfocus.com
    
    

    Prakash Purushotham wrote:

    > Any suggestions on how I can block hopster (and other similar socks
    > based tunneling applications) from tunnelling out.

    tcpdump and ehereal are often the syadmin best friends. :)

    Ok, I downloaded this hopster, installed it on a win box, started
    squid on my home linux firewall, putted a rule in FORWARD chain to
    drop packets coming from the win box and then I started to observe.
    hopster wasn't apparently able to automatically detect the squid proxy, so
    I manually configured it.
    Then i started some applications, like an irc client and configured them to
    use the localhost socks proxy that hopster binded.

    Ok: what did ethreal showed me?
    First: in all tests I've performed, hopster seems to use just one remote
    http tunneler:

    CONNECT 62.116.83.62:443 HTTP/1.0

    If this observation is correct, a simple acl that denies the CONNECT method
    to 62.116.83.62 should be suficient.
    Moreover: despite of the port showed above, the traffic isn't actually
    ssl-tunneled:

    HTTP/1.0 200 Connection established

    ................C...G.Us.............calvino.freenode.net........[cut]
    NOTICE AUTH :*** Looking up your hostname...
    ......._NICK whiplash

    So, it is also possible to write content-based acls.

    Blocking hopster, at the moment, seems to be quite easy, if
    things are really like they appear in my quick and dirty
    analisys.

    Things could become more tricky and interesting, anyway.

    Try and imagine nasty applications that really use ssl and
    miscofigured open proxies that support CONNECT method, for
    example...

    Regards.


  • Next message: Pablo Gietz: "Re: can Hopster traffic be blocked?"

    Relevant Pages

    • RE: can Hopster traffic be blocked?
      ... a port is just a number. ... >> based tunneling applications) from tunnelling out. ... > hopster wasn't apparently able to automatically detect the squid proxy, ...
      (Focus-Linux)
    • Re: can Hopster traffic be blocked?
      ... added it in the banned sites acl. ... I wonder whether hopster uses just one server. ... >> based tunneling applications) from tunnelling out. ... > tcpdump and ehereal are often the syadmin best friends. ...
      (Focus-Linux)
    • Re: can Hopster traffic be blocked?
      ... > The following site has some information on hopster and similar ... This should be a default policy for most businesses these ... employees' continued employment to compliance. ... > based tunneling applications) from tunnelling out. ...
      (Focus-Linux)