block kazaa

block kazaa

[realsite internetcafe]

according to many port 1214 is kazaa's port, not until
i monitored my lan, it changes from time to time! now
how do i disable kazaa from my network? any other way?

blocking kazaa is my last resort, but what i want is
just to limit the workstations' internet bandwidth if
kazaa is used. ive tried cbq and tc but my kernel
doesnt seem to support it RTNETLINK: Invalid Argument
?? 

well whats important is i need tips.. any better suggestion?

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

Re: block kazaa

[Scott Radvan]

On Tue, 25 Mar 2003 14:46:36 +0000 (GMT)
realsite internetcafe <realsiteinternetcafe@yahoo.com> wrote:

> according to many port 1214 is kazaa's port, not until
> i monitored my lan, it changes from time to time! now
> how do i disable kazaa from my network? any other way?
> 
> blocking kazaa is my last resort, but what i want is
> just to limit the workstations' internet bandwidth if
> kazaa is used. ive tried cbq and tc but my kernel
> doesnt seem to support it RTNETLINK: Invalid Argument
> ?? 
> 
> well whats important is i need tips.. any better suggestion?


It is true that in more recent versions of KaZaA and KaZaALite, the incoming port can be modified to work on whatever is asked of it.

I assume by your sender address that you are in control of an Internet cafe.

One thing that's possible is to perform some sort of registry hack to disable the 'options' setting of kazaa. That way you can be sure that Kazaa will only connect at 1214, and can take control of it. Obviously, change them all to port 1214 and other settings that you want as standard, then implement a reg-hack across the clients, so that the port can't be changed. Not my area, but I imagine that's a decent option. Try to beat it at the client-end. Also, consider reverting to older clients that don't give the option of changing ports. Keep in mind you may not be able to log onto the KaZaA network with these older client versions.

However, KaZaA has gotten markedly difficult to firewall, filter and monitor at the server/gateway end, thanks to this port flexibility. If you can't reg-hack the thing, my wild guess would be to examine the TCP transmission techniques to see if anything is done differently in Kazaa than any other app. You _may_ be able to then filter based on this. Throw Ethereal on and see if you can filter Kazaa-like traffic. I could be, and most likely am, glaringly wrong on this one.

I am unaware of any specific netfilter technique to simply block the newer versions of kazaa. Wish I could help you further. Good Luck.




=====
"I don't like spinach, and I'm glad I don't, because if I liked it I'd
eat it, and I just hate it."
		-- Clarence Darrow
=====

Re: block kazaa

[Maciej Soltysiak]

> I am unaware of any specific netfilter technique to simply block the
> newer versions of kazaa. Wish I could help you further. Good Luck.
I have heard of people using the string match to reject packets with
"X-Kazaa-User" or some other string.

Also, you could try to block access to the network pool of dns.kazaa.com.
I think this way if the clients have not been ever using kazaa, will not
get addresses of other kazaa nodes. But it is a wild guess.

Regards,
Maciej Soltysiak

Re: block kazaa

[paulc]

The way I block Kazaa (and the other file sharing applications) is a 
blanket ban on all ports by default. I then open the ports as I think is 
appropriate at the firewall. These only include the port 23 for anyone 
wishing to use telnet. All web and ftp style ports on 80, 21 and the like 
are handled by a web-proxy to prevent using them for other purposes. All 
incoming connects (and lots of ICMP messages) are dropped by the firewall also.

Re: block kazaa

[Kelly Setzer]

On Tue, Mar 25, 2003 at 09:27:16PM +0000, paulc@ibiblio.org wrote:
> The way I block Kazaa (and the other file sharing applications) is a 
> blanket ban on all ports by default. I then open the ports as I think is 
> appropriate at the firewall. These only include the port 23 for anyone 
> wishing to use telnet. All web and ftp style ports on 80, 21 and the like 
> are handled by a web-proxy to prevent using them for other purposes. All 
> incoming connects (and lots of ICMP messages) are dropped by the firewall 
> also.

In my personal experience, that still allows kazaa clients to download
files.  Uploads are prevented, and that's a good thing if you're
committed to stopping p2p traffic.  However it's only half a solution.

The reality is, fighting p2p traffic is a losing battle.  I suspect
that's one of those things that will have to be addressed by corporate
policy/enforcement and with host-based restrictions (don't let users
install software on their own boxes).

Kelly

--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)

Re: block kazaa

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 1777 bytes --]

Hi

Even if kazaa uses ports that can be set by the user, there must surely
be some kind of control connection when the client starts up that it
uses to establish connection to the kazaa network and tell other clients
about it's port number.

Just try to figure out (ethereal, tcpdump) what the initial connection
is. With gnutella there is an initial http connection to the 'servers'.

Ray

On Tue, 2003-03-25 at 17:57, Maciej Soltysiak wrote:
> > I am unaware of any specific netfilter technique to simply block the
> > newer versions of kazaa. Wish I could help you further. Good Luck.
> I have heard of people using the string match to reject packets with
> "X-Kazaa-User" or some other string.
> 
> Also, you could try to block access to the network pool of dns.kazaa.com.
> I think this way if the clients have not been ever using kazaa, will not
> get addresses of other kazaa nodes. But it is a wild guess.
> 
> Regards,
> Maciej Soltysiak
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
(  http://www.mapnet.co.za/            )
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: block kazaa

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 1406 bytes --]

On Tue, 2003-03-25 at 23:27, paulc@ibiblio.org wrote:
> The way I block Kazaa (and the other file sharing applications) is a 
> blanket ban on all ports by default. I then open the ports as I think is 
> appropriate at the firewall. These only include the port 23 for anyone 
> wishing to use telnet. All web and ftp style ports on 80, 21 and the like 
> are handled by a web-proxy to prevent using them for other purposes. All 
> incoming connects (and lots of ICMP messages) are dropped by the firewall also.
> 
How do you get passive ftp to work and not allow file sharing networks?

> 
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
(  http://www.mapnet.co.za/            )
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: block kazaa

[Paul Colclough]

At 07:30 26/03/2003 +0200, you wrote:
>On Tue, 2003-03-25 at 23:27, paulc@ibiblio.org wrote:
> > The way I block Kazaa (and the other file sharing applications) is a
> > blanket ban on all ports by default. I then open the ports as I think is
> > appropriate at the firewall. These only include the port 23 for anyone
> > wishing to use telnet. All web and ftp style ports on 80, 21 and the like
> > are handled by a web-proxy to prevent using them for other purposes. All
> > incoming connects (and lots of ICMP messages) are dropped by the 
> firewall also.
> >
>How do you get passive ftp to work and not allow file sharing networks?

The firewall machine itself has full access to the internet, and all the 
Windows PC's use a web proxy to accept all web and ftp servers, so the 
firewall machine fetches the file, and passes it on. Therefore the only 
file sharing networks that will work are those that act as a web or ftp 
server on the standard ports.  

Re: block kazaa

[Kelly Setzer]

On Wed, Mar 26, 2003 at 07:30:19AM +0200, Raymond Leach wrote:
> On Tue, 2003-03-25 at 23:27, paulc@ibiblio.org wrote:
> > The way I block Kazaa (and the other file sharing applications) is a 
> > blanket ban on all ports by default. I then open the ports as I think is 
> > appropriate at the firewall. These only include the port 23 for anyone 
> > wishing to use telnet. All web and ftp style ports on 80, 21 and the like 
> > are handled by a web-proxy to prevent using them for other purposes. All 
> > incoming connects (and lots of ICMP messages) are dropped by the firewall also.
> > 
> How do you get passive ftp to work and not allow file sharing networks?

Do you mean active ftp?  Passive ftp uses outbound connections for
both control (20) and data (21).  Active ftp uses an inbound
connection on port 21.  Force your users to use passive ftp only.
Most clients default to that anyway.

Kelly

--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)

Re: block kazaa

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 2136 bytes --]

Some ftp servers out there do not support or have fallback to passive
ftp.


On Wed, 2003-03-26 at 17:06, Kelly Setzer wrote:
> On Wed, Mar 26, 2003 at 07:30:19AM +0200, Raymond Leach wrote:
> > On Tue, 2003-03-25 at 23:27, paulc@ibiblio.org wrote:
> > > The way I block Kazaa (and the other file sharing applications) is a 
> > > blanket ban on all ports by default. I then open the ports as I think is 
> > > appropriate at the firewall. These only include the port 23 for anyone 
> > > wishing to use telnet. All web and ftp style ports on 80, 21 and the like 
> > > are handled by a web-proxy to prevent using them for other purposes. All 
> > > incoming connects (and lots of ICMP messages) are dropped by the firewall also.
> > > 
> > How do you get passive ftp to work and not allow file sharing networks?
> 
> Do you mean active ftp?  Passive ftp uses outbound connections for
> both control (20) and data (21).  Active ftp uses an inbound
> connection on port 21.  Force your users to use passive ftp only.
> Most clients default to that anyway.
> 
> Kelly
> 
> --
> Kelly Setzer, System Administrator/Architect - Placemark Investments
> 14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
> kelly.setzer@placemark.com  http://www.placemark.com
> (972)404-8100x41 (work)       (214) 287-3464 (cell)
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
(  http://www.mapnet.co.za/            )
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: block kazaa

[per j]

Snort with Flexresp enabled at compile time can block many P2P traffic.

_________________________________________________________________