Re: can Hopster traffic be blocked?
From: whiplash (whiplash_at_despammed.com)
Date: Thu, 05 Aug 2004 01:22:35 +0200 To: firstname.lastname@example.org
Prakash Purushotham wrote:
> Any suggestions on how I can block hopster (and other similar socks
> based tunneling applications) from tunnelling out.
tcpdump and ehereal are often the syadmin best friends. :)
Ok, I downloaded this hopster, installed it on a win box, started
squid on my home linux firewall, putted a rule in FORWARD chain to
drop packets coming from the win box and then I started to observe.
hopster wasn't apparently able to automatically detect the squid proxy, so
I manually configured it.
Then i started some applications, like an irc client and configured them to
use the localhost socks proxy that hopster binded.
Ok: what did ethreal showed me?
First: in all tests I've performed, hopster seems to use just one remote
CONNECT 184.108.40.206:443 HTTP/1.0
If this observation is correct, a simple acl that denies the CONNECT method
to 220.127.116.11 should be suficient.
Moreover: despite of the port showed above, the traffic isn't actually
HTTP/1.0 200 Connection established
NOTICE AUTH :*** Looking up your hostname...
So, it is also possible to write content-based acls.
Blocking hopster, at the moment, seems to be quite easy, if
things are really like they appear in my quick and dirty
Things could become more tricky and interesting, anyway.
Try and imagine nasty applications that really use ssl and
miscofigured open proxies that support CONNECT method, for