Re: can Hopster traffic be blocked?

From: whiplash (
Date: 08/05/04

  • Next message: Pablo Gietz: "Re: can Hopster traffic be blocked?"
    Date: Thu, 05 Aug 2004 01:22:35 +0200

    Prakash Purushotham wrote:

    > Any suggestions on how I can block hopster (and other similar socks
    > based tunneling applications) from tunnelling out.

    tcpdump and ehereal are often the syadmin best friends. :)

    Ok, I downloaded this hopster, installed it on a win box, started
    squid on my home linux firewall, putted a rule in FORWARD chain to
    drop packets coming from the win box and then I started to observe.
    hopster wasn't apparently able to automatically detect the squid proxy, so
    I manually configured it.
    Then i started some applications, like an irc client and configured them to
    use the localhost socks proxy that hopster binded.

    Ok: what did ethreal showed me?
    First: in all tests I've performed, hopster seems to use just one remote
    http tunneler:


    If this observation is correct, a simple acl that denies the CONNECT method
    to should be suficient.
    Moreover: despite of the port showed above, the traffic isn't actually

    HTTP/1.0 200 Connection established[cut]
    NOTICE AUTH :*** Looking up your hostname...
    ......._NICK whiplash

    So, it is also possible to write content-based acls.

    Blocking hopster, at the moment, seems to be quite easy, if
    things are really like they appear in my quick and dirty

    Things could become more tricky and interesting, anyway.

    Try and imagine nasty applications that really use ssl and
    miscofigured open proxies that support CONNECT method, for


  • Next message: Pablo Gietz: "Re: can Hopster traffic be blocked?"