Security Basics mailing list archives
Filtering new KaZaa!!!
From: "Soporte" <soporte () opticalip com pe>
Date: Wed, 30 Oct 2002 19:31:11 -0500
Hi Guys!!! I am trying to block KaZaa using access lists, I read many tips like blocking port 1214, block the Morpheus network, but with the latest version of KaZaa it seems that not work, why? Let me explain... I have Kazaa Media Desktop 2.0 (Built: Friday, September 20, 2002 16:14:03), a Network Protocol Analyzer (Ethereal Version 0.9.7) and a Cisco Catalyst 6509 (IOS MSFC2 Software C6MSFC2- IS-M Version 12.1 E4) 1) Running the sniffer and then starting Kazaa I found that the first contact with its server is a dns query for "www.altnetp2p.com <http://www.altnetp2p.com> " (217.116.227.249), that has an alias named "media.altnet.com", then I blocked any traffic to that target with the following access-list and then applied to the interface: access-list 100 deny ip any host 217.116.227.249 access-list 100 permit ip any any interface Vlan12 ip access-group 100 in Then the client still conect to Kazaa but the initial dektop was down. 2) Flushing my dns cache (ipconfig /flushdns) and then rerun the sniffer and then Kazaa, we found that when the client can not get any response from "www.altnetp2p.com <http://www.altnetp2p.com> " (217.116.227.249) try for "desktop.kazaa.com" (217.116.226.13, 217.116.226.11, 217.116.226.12) and have the alias "rr1.kazaa.com", then I block it too: access-list 100 deny ip any host 217.116.227.249 access-list 100 deny ip any host 217.116.226.11 access-list 100 deny ip any host 217.116.226.12 access-list 100 deny ip any host 217.116.226.13 access-list 100 permit ip any any And again the client still conect to Kazaa. 3) Again I load the sniffer and then the client and I see a dns query for "www.cms1.net <http://www.cms1.net> " (209.73.225.7) and for "servedby.advertising.com" (209.225.0.6) with the following conections: http://209.73.225.7/scripts/cms/CmsInit.ASP?ID=200101&D2=%3F% <http://209.73.225.7/scripts/cms/CmsInit.ASP?ID=200101&D2=%3F%> 3F%3F%3F%3F%3F%3F%3F%3F%3F%40%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3 F%3F%3F%3F&AW=291&LV=3210&CU=22068156 I have the following output from the browser, I do not know what is this? DATA_OK W_STR [C=101][V=] W_STR [C=103][V=] W_STR [C=100][V=] W_STR [C=102][V=] W_STR [C=104][V=] W_INT [C=33][V=22068156] W_INT [C=34][V=1036021229] http://209.225.0.6/site=94237/size=468060/bnum=26639628/optn <http://209.225.0.6/site=94237/size=468060/bnum=26639628/optn> = 1 I got a file with a link that target some kind of ad-ware: http://servedby.advertising.com/site=0000094237/mnum=00000742 <http://servedby.advertising.com/site=0000094237/mnum=00000742> 13/genr=1/logs=0/mdtm=1033158880/bins=1/optn=1 border=0 width=468 height=60 alt='Click to learn more...' I block the traffic to this targets: access-list 100 deny ip any host 217.116.227.249 access-list 100 deny ip any host 217.116.226.11 access-list 100 deny ip any host 217.116.226.12 access-list 100 deny ip any host 217.116.226.13 access-list 100 deny ip any host 209.73.225.7 access-list 100 deny ip any host 209.225.0.6 access-list 100 permit ip any any But the client still connect to the server... and also have adware??? 4) Once again I run the sniffer and Kazaa, and something interesting come on this session, I have a set of request to 5 servers via UDP, at this point I tried to restrict the traffic to that address but again appears other 5 server with differently address, and again, and again and again..., I have a access-list of more 20 lines with this servers and always appears new servers, but I noticed that all request was made from the port 2210 of my box, then I restrict the sessions in UDP from this port to any server: access-list 100 deny ip any host 217.116.227.249 access-list 100 deny ip any host 217.116.226.11 access-list 100 deny ip any host 217.116.226.12 access-list 100 deny ip any host 217.116.226.13 access-list 100 deny ip any host 209.73.225.7 access-list 100 deny ip any host 209.225.0.6 access-list 100 deny udp any eq 2210 any access-list 100 permit ip any any And YEEEEESSSSSS!!!! but not... the client shoots to all the servers, all with differents port, only 3 with the famous 1214 port and also a server with port 23 listening??? neither a selectable range of ports to filter, nothing ...and the client still get connected, but this time is noticeable a great delay to connect 12.142.98.106 2840 12.164.62.138 1597 12.246.228.24 2307 12.248.43.68 3722 12.253.110.209 2990 128.111.39.144 1776 128.138.31.119 2473 128.195.155.220 23 128.2.150.155 3560 128.61.67.141 3649 129.118.184.29 2411 129.15.134.165 1643 129.24.71.171 2410 129.25.29.86 3766 129.8.42.27 1889 129.89.127.190 3213 129.93.205.198 2625 129.93.210.173 3489 131.212.152.49 3019 134.53.110.117 3529 134.53.169.34 2816 137.28.124.59 3781 137.28.242.96 1333 137.45.61.3 3909 137.45.65.170 3858 137.49.217.25 3496 137.49.223.120 1293 137.49.223.152 2705 137.99.138.136 1931 137.99.146.187 3939 137.99.154.20 1652 137.99.154.200 1659 137.99.160.178 1504 139.78.59.134 2703 141.150.15.199 2797 141.164.92.110 2292 141.233.32.231 3916 146.7.156.219 2360 147.126.37.96 2078 149.159.94.102 1217 149.159.94.64 2137 150.252.97.171 3854 151.197.114.67 1891 152.19.229.130 2770 155.101.67.110 3465 165.134.182.216 3125 172.144.88.103 2372 18.240.0.98 3029 198.82.83.161 1214 198.82.90.236 1214 198.82.94.63 3792 198.82.96.196 1214 204.38.200.91 2995 207.246.190.46 2597 216.195.24.112 1191 24.136.33.54 1515 24.185.21.1 2455 24.186.209.52 3377 24.186.50.127 1577 24.191.17.32 2647 24.242.82.191 3319 24.247.217.194 1550 24.28.166.114 1059 24.31.230.20 2523 24.46.240.19 1233 24.46.69.103 3644 24.46.78.39 1777 24.60.120.239 1542 24.94.179.22 3264 24.95.47.237 1734 65.29.85.113 2741 65.32.138.101 3545 66.169.203.165 3288 66.57.129.156 1822 66.57.185.15 1983 66.69.232.3 2522 66.75.187.240 1635 66.8.219.62 1528 66.90.145.149 3797 At this time my last attempt was filter any ip conection to that address, I finished with a access-list of near 100 lines but via tcp new addresses appears, and as I said before there is not a defined range of ports to try to filter, and the client still get connected!!! What happened??? This is like the client have a list with a lot of servers to try to connect!!! If somebody have any idea please let me know I will be very happy. Rick McCasttle Anti-KaZaa kid!!!
Current thread:
- Filtering new KaZaa!!! Soporte (Oct 31)
- Re: Filtering new KaZaa!!! Bruno Lustosa (Nov 01)
- RE: Filtering new KaZaa!!! Ghaith Nasrawi (Nov 04)
- <Possible follow-ups>
- RE: Filtering new KaZaa!!! Soporte (Nov 04)