Re: can Hopster traffic be blocked?
From: Prakash Purushotham (prakashp_at_bigfoot.com)
To: firstname.lastname@example.org Date: Sat, 07 Aug 2004 22:19:11 +0530
Thanks whiplash, I had infact used tcpdump to track down that IP and
added it in the banned sites acl. Problem solved ... atleast for the
time being. Sorry I was not prompt enough to post it here.
I wonder whether hopster uses just one server. I would be doing some
more tcpdump'ing to check whether other servers are being used.
> From: whiplash <email@example.com>
> To: firstname.lastname@example.org
> Subject: Re: can Hopster traffic be blocked?
> Date: Thu, 05 Aug 2004 01:22:35 +0200
> Prakash Purushotham wrote:
> > Any suggestions on how I can block hopster (and other similar socks
> > based tunneling applications) from tunnelling out.
> tcpdump and ehereal are often the syadmin best friends. :)
> Ok, I downloaded this hopster, installed it on a win box, started
> squid on my home linux firewall, putted a rule in FORWARD chain to
> drop packets coming from the win box and then I started to observe.
> hopster wasn't apparently able to automatically detect the squid proxy, so
> I manually configured it.
> Then i started some applications, like an irc client and configured them to
> use the localhost socks proxy that hopster binded.
> Ok: what did ethreal showed me?
> First: in all tests I've performed, hopster seems to use just one remote
> http tunneler:
> CONNECT 22.214.171.124:443 HTTP/1.0
> If this observation is correct, a simple acl that denies the CONNECT method
> to 126.96.36.199 should be suficient.
> Moreover: despite of the port showed above, the traffic isn't actually