RE: can Hopster traffic be blocked?

From: Burton M. Strauss III (BStrauss_at_acm.org)
Date: 08/05/04

  • Next message: lonely wolf: "Re: can Hopster traffic be blocked?"
    To: "whiplash" <whiplash@despammed.com>, <focus-linux@securityfocus.com>
    Date: Thu, 5 Aug 2004 10:25:03 -0500
    
    

    1. Remember, a port is just a number. By CONVENTION many ports are used for
    specific things, but there's nothing that REQUIRES it. If you want to set
    up a dns daemon listening on port 22, it's dns not ssh...

    2. I'd suggest you give it a try - a lot of these tools have many, many
    fallbacks so that if one avenue is blocked it tries something else. Thus
    you may need to block thing a, figure out how it continues to connect (thing
    b) and repeat.

    -----Burton

    > -----Original Message-----
    > From: whiplash [mailto:whiplash@despammed.com]
    > Sent: Wednesday, August 04, 2004 6:23 PM
    > To: focus-linux@securityfocus.com
    > Subject: Re: can Hopster traffic be blocked?
    >
    >
    > Prakash Purushotham wrote:
    >
    > > Any suggestions on how I can block hopster (and other similar socks
    > > based tunneling applications) from tunnelling out.
    >
    > tcpdump and ehereal are often the syadmin best friends. :)
    >
    > Ok, I downloaded this hopster, installed it on a win box, started
    > squid on my home linux firewall, putted a rule in FORWARD chain to
    > drop packets coming from the win box and then I started to observe.
    > hopster wasn't apparently able to automatically detect the squid proxy, so
    > I manually configured it.
    > Then i started some applications, like an irc client and
    > configured them to
    > use the localhost socks proxy that hopster binded.
    >
    > Ok: what did ethreal showed me?
    > First: in all tests I've performed, hopster seems to use just one remote
    > http tunneler:
    >
    > CONNECT 62.116.83.62:443 HTTP/1.0
    >
    > If this observation is correct, a simple acl that denies the
    > CONNECT method
    > to 62.116.83.62 should be suficient.
    > Moreover: despite of the port showed above, the traffic isn't actually
    > ssl-tunneled:
    >
    > HTTP/1.0 200 Connection established
    >
    > ................C...G.Us.............calvino.freenode.net........[cut]
    > NOTICE AUTH :*** Looking up your hostname...
    > ......._NICK whiplash
    >
    > So, it is also possible to write content-based acls.
    >
    > Blocking hopster, at the moment, seems to be quite easy, if
    > things are really like they appear in my quick and dirty
    > analisys.
    >
    > Things could become more tricky and interesting, anyway.
    >
    > Try and imagine nasty applications that really use ssl and
    > miscofigured open proxies that support CONNECT method, for
    > example...
    >
    > Regards.


  • Next message: lonely wolf: "Re: can Hopster traffic be blocked?"

    Relevant Pages

    • Re: can Hopster traffic be blocked?
      ... > based tunneling applications) from tunnelling out. ... Ok, I downloaded this hopster, installed it on a win box, started ... Then i started some applications, like an irc client and configured them to ... a simple acl that denies the CONNECT method ...
      (Focus-Linux)
    • Re: Cannot telnet to port 25 from Windows 2003 SBS server to itself
      ... which is I cannot connect from the server on port 25 and send ... I am having this problem on two sbs installations I've done recently. ... those applications to send e-mail, ... Connecting To localhost...Could not open connection to the host, ...
      (microsoft.public.windows.server.sbs)
    • Setting Up RS-232 Ports for Data Logging
      ... RS-232 port. ... Each application listens on its own port and, ... both applications are trying to ... What I want is all the serial data, ...
      (Ubuntu)
    • Re: Tunnelling?
      ... There are several ways to tunnel port 2000 depending on how strict ... "tunneling" to avoid detection of your ... activities or to bypass firewall rules is a serious offense. ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ...
      (Security-Basics)
    • Re: CA Sells Ingres!
      ... Actually Mainwin is a product fron mainsoft corp which helps port VC++ ... applications onto popular versions of Unix & Linux. ...
      (comp.databases.ingres)