Re: [squid-users] Block HTTP-Tunnel (WOW)

From: Lasse Mørk <debian@dont-contact.us>
Date: Tue, 6 Sep 2005 18:36:23 +0200 (CEST)

Whoops, deleted the last mail :/

Anyway. It could be interestering to know what to look for in the
accesslog....

If anyone knows it, I will be glad :)

> On Fri, 2 Sep 2005, Lasse [iso-8859-1] Mørk wrote:
>
>> Is there anyway it is possible to block a Http-tunnel ?
>
> Yes, block access to the relay server used on the Internet. See
> access.log.
>
>> Its fu....... drivng me nuts, that they have made a tunnel to play World
>> =
>> Of Warcraft through...
>
> Fact of life: If there is some communication channel of at least 1 bit
> with where you have control of both endpoints (i.e. server and client)
> then this can be used to build a tunnel, and it can be masqueraded as
> pretty much anything (there is masquerading tunneling "solutions" for
> HTTP, DNS, ICMP, IP fragments etc..)
>
>> Or is the only way to block the host ? If so, how do I find that host ?
>
> access.log is one way.
>
> tcpdump another.
>
> cachemgr open filedescriptors a third.
>
>
> What you should look out for is odd patterns in
>
> - Same client making very many requests to a given server
> - Long running CONNECT requests
> - CONNECT requests to odd ports (there is good reasons why the default
> config restricts CONNECT to a small set of well known ports only).
>
> And if you enable log_mime_hdrs these tunnelin agents sometimes can be
> identified by their request or response headers. If such identification
> can be done then you can make Squid access rules imposing a general ban of
> the use of that relay agent (at least until the agent is changed to use
> other request/response headers...)
>
> The most effective cure is to have an enforceable policy for allowable use
> of the network resources (including Internet), making it possible to take
> significant actions to persons found to abuse the network infrastructure.
> Without this in place it may quickly escalate into a war like situation
> where the users wanting to do this goes to greater and greater extent in
> hiding their actions.
>
> Regards
> Henrik
Received on Tue Sep 06 2005 - 10:37:57 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT