* [LARTC] KaZZaa and connection sequences
@ 2003-05-13 12:53 GoMi
2003-05-13 13:24 ` Greg Scott
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: GoMi @ 2003-05-13 12:53 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 1141 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there, i am having big touble wiht traffic shaping and kazza, by any reason, it seems to collapse all the system. I have a firewall to stop users using p2p programs during day time, and then its totally free for them to access anywhere during night-time.
First problem Problem... KaZZa
During day-time, there are kazza servers accepting connections on pot 80, and because i cant filter that port, my users can dowload. I have tried to study the sequence of kazza programs using tcpdump, but i got no conclusions, Does anybody know how to distinguish between HTTP connections and KaZZa?
Second Problem... KaZZa (hehehe)
During night-time, i register lots of ack packets due to kazza programs, anybody in the same situation? I just red about layer-7 filtering, but i cant change my kernel right now, so i want to try as much as i can with packet filtering.. Anybody here?
Thank You
GoMi
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPsDqz37diNnrrZKsEQKkTwCeMuH0YpDT7Qxg6XMdycivAYUqgM4AniF0
fo6yBE3P1OqqZrKHt5t7fxaf
=Z00o
-----END PGP SIGNATURE-----
[-- Attachment #2: PGPexch.rtf.pgp --]
[-- Type: application/octet-stream, Size: 1382 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* RE: [LARTC] KaZZaa and connection sequences
2003-05-13 12:53 [LARTC] KaZZaa and connection sequences GoMi
@ 2003-05-13 13:24 ` Greg Scott
2003-05-13 13:24 ` Gordan Bobic
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Greg Scott @ 2003-05-13 13:24 UTC (permalink / raw)
To: lartc
I would look at a commercial web filtering product like Smartfilter and
then run this on top of Squid, all inside your firewall/router/traffic
shaping box. And then use Smartfilter to restrict downloads of any MP3
or other stuff like that. The Smartfilter subscription should keep up
with the rapidly moving IP Addresses of these things and then you can
set filtering policies at an application level. Imho it's a losing
battle to set application filtering policies at the packet level.
- Greg Scott
-----Original Message-----
From: GoMi [mailto:gomiuk@hotmail.com]
Sent: Tuesday, May 13, 2003 7:54 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] KaZZaa and connection sequences
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there, i am having big touble wiht traffic shaping and kazza, by any
reason, it seems to collapse all the system. I have a firewall to stop
users using p2p programs during day time, and then its totally free for
them to access anywhere during night-time.
First problem Problem... KaZZa
During day-time, there are kazza servers accepting connections on pot
80, and because i cant filter that port, my users can dowload. I have
tried to study the sequence of kazza programs using tcpdump, but i got
no conclusions, Does anybody know how to distinguish between HTTP
connections and KaZZa?
Second Problem... KaZZa (hehehe)
During night-time, i register lots of ack packets due to kazza programs,
anybody in the same situation? I just red about layer-7 filtering, but i
cant change my kernel right now, so i want to try as much as i can with
packet filtering.. Anybody here?
Thank You
GoMi
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPsDqz37diNnrrZKsEQKkTwCeMuH0YpDT7Qxg6XMdycivAYUqgM4AniF0
fo6yBE3P1OqqZrKHt5t7fxaf
=Z00o
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [LARTC] KaZZaa and connection sequences
2003-05-13 12:53 [LARTC] KaZZaa and connection sequences GoMi
2003-05-13 13:24 ` Greg Scott
@ 2003-05-13 13:24 ` Gordan Bobic
2003-05-13 13:48 ` Ethan Sommer
2003-05-14 6:43 ` rio
3 siblings, 0 replies; 5+ messages in thread
From: Gordan Bobic @ 2003-05-13 13:24 UTC (permalink / raw)
To: lartc
Hi,
> I just red about layer-7 filtering, but i
> cant change my kernel right now, so i want to try as much as i can with
> packet filtering.. Anybody here?
I don't think you will be able to do anything about it without Layer-7
filtering. I think (and I may be wrong in this for the time being) that KaZaA
uses SSL, so reading the payload content is going to be impossible. However,
if there are servers running on port 80, you can see if it looks like a valit
HTTP request. If it doesn't you drop it, because it is probably some kind of
a P2P application using the port.
I don't know how good the current generation of P2P applications is at
masquerading as legitimate HTTP traffic. tcpdump will tell you more about
that.
Unfortunately, there are also likely to be servers out there that run on port
443 (HTTPS), which you probably cannot or don't want to block. And since that
is supposed to run over SSL, you are rather out of luck... Same goes for any
valid port used for SSL communication.
So, in conclusion, even Layer-7 filtering will not help you if/when the
communication is encrypted...
Regards.
Gordan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] KaZZaa and connection sequences
2003-05-13 12:53 [LARTC] KaZZaa and connection sequences GoMi
2003-05-13 13:24 ` Greg Scott
2003-05-13 13:24 ` Gordan Bobic
@ 2003-05-13 13:48 ` Ethan Sommer
2003-05-14 6:43 ` rio
3 siblings, 0 replies; 5+ messages in thread
From: Ethan Sommer @ 2003-05-13 13:48 UTC (permalink / raw)
To: lartc
>
>
>I don't think you will be able to do anything about it without Layer-7
>filtering. I think (and I may be wrong in this for the time being) that KaZaA
>uses SSL, so reading the payload content is going to be impossible.
>
kazaa most definately does not use ssl.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [LARTC] KaZZaa and connection sequences
2003-05-13 12:53 [LARTC] KaZZaa and connection sequences GoMi
` (2 preceding siblings ...)
2003-05-13 13:48 ` Ethan Sommer
@ 2003-05-14 6:43 ` rio
3 siblings, 0 replies; 5+ messages in thread
From: rio @ 2003-05-14 6:43 UTC (permalink / raw)
To: lartc
Original Message:
-----------------
From: GoMi gomiuk@hotmail.com
>Hi there, i am having big touble wiht traffic shaping and kazza, by any
>>reason, it seems to collapse all the system. I have a firewall to stop
users >using p2p programs during day time, and then its totally free for
them to >>access anywhere during night-time.
>First problem Problem... KaZZa
>During day-time, there are kazza servers accepting connections on pot 80,
>>and because i cant filter that port, my users can dowload. I have tried
to >study the sequence of kazza programs using tcpdump, but i got no
conclusions, Does anybody know how to distinguish between HTTP connections
>>and KaZZa?
Kazaa is hard to stopped, did u already know that when you sniff your
clients connection using Kazaa, there are random tcp port range from 1214
until 4000 connecting from your clients to random and numerous ips outside.
So perhaps you need to shape all protocols going to your clients. That
worked for me. If you want in daylight is just for web browsing you could
use Squid as Bandwidth Limiter with its Delay Pool, and IPTABLES to block
all outgoing connection except port 80.
Regards,
Rio Martin.
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-05-14 6:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-13 12:53 [LARTC] KaZZaa and connection sequences GoMi
2003-05-13 13:24 ` Greg Scott
2003-05-13 13:24 ` Gordan Bobic
2003-05-13 13:48 ` Ethan Sommer
2003-05-14 6:43 ` rio
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.