Re: can Hopster traffic be blocked?

From: Stefan Osterlitz (osterlitz_at_mf-gt.de)
Date: 08/12/04

  • Next message: Peter H. Lemieux: "Attempts to push spam through apache"
    To: "focus-linux@securityfocus.com" <focus-linux@securityfocus.com>
    Date: Thu, 12 Aug 2004 10:38:30 +0200
    
    

    >> Any suggestions on how I can block hopster (and other similar socks
    >> based tunneling applications) from tunnelling out.
    >I bet all my weekend beers that the only way out is content filtering
    >done at the proxy level. Maybe squidguard/dansguardian could help. Or
    >snort. Otherwise .. IBM websense.

    My first try would be iptables with strings module loaded.
    Check all allowed http ports for CONNECT strings.

    The second try (for more detailed analysis) would be squid in transparent mode.
    With squid you can add traffic analysis software and look for long-running connections with "bad" upload/download rates.
    The typical proxy connection will have a different access pattern (longer connections, different connection times, higher upload rates) than normal HTTP traffic.
    Using CONNECT can be detected as well. You will get a more comprehensive Image of what your users are doing, with forensic info, if you like.

    Greetings,
    Stefan Osterlitz


  • Next message: Peter H. Lemieux: "Attempts to push spam through apache"