|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: can Hopster traffic be blocked?
From: Prakash Purushotham (prakashp
bigfoot.com)
Date: Sat Aug 07 2004 - 11:49:11 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thanks whiplash, I had infact used tcpdump to track down that IP and
added it in the banned sites acl. Problem solved ... atleast for the
time being. Sorry I was not prompt enough to post it here.
I wonder whether hopster uses just one server. I would be doing some
more tcpdump'ing to check whether other servers are being used.
> From: whiplash <whiplashdespammed.com>
> To: focus-linuxsecurityfocus.com
> Subject: Re: can Hopster traffic be blocked?
> Date: Thu, 05 Aug 2004 01:22:35 +0200
>
> Prakash Purushotham wrote:
>
> > Any suggestions on how I can block hopster (and other similar socks
> > based tunneling applications) from tunnelling out.
>
> tcpdump and ehereal are often the syadmin best friends. :)
>
> Ok, I downloaded this hopster, installed it on a win box, started
> squid on my home linux firewall, putted a rule in FORWARD chain to
> drop packets coming from the win box and then I started to observe.
> hopster wasn't apparently able to automatically detect the squid proxy, so
> I manually configured it.
> Then i started some applications, like an irc client and configured them to
> use the localhost socks proxy that hopster binded.
>
> Ok: what did ethreal showed me?
> First: in all tests I've performed, hopster seems to use just one remote
> http tunneler:
>
> CONNECT 62.116.83.62:443 HTTP/1.0
>
> If this observation is correct, a simple acl that denies the CONNECT method
> to 62.116.83.62 should be suficient.
> Moreover: despite of the port showed above, the traffic isn't actually
> ssl-tunneled:
<snipped>
Best regards
Prakash
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]