Firewall Wizards mailing list archives
RE: Blocking Yahoo IM
From: "Frank Darden" <fdarden () locked com>
Date: Thu, 21 Nov 2002 13:41:56 -0500
I have found that Network based IDS systems that allow free form expression signatures are the easiest way to block these sorts of rogue protocols. In the case of Yahoo messenger, do a sniff on the conversation. Youll find that there are unique signatures for the packets in these conversations (I cant remember off the top of my head, I think its 2nd offset, 2a02) At any rate, you can use NIDS to send RST's when it sees the unique signature on the packets, thus breaking the IM session. Sorry if this is cryptic, and hopefully this will help steer you in the right direction. Frank ======================================= Frank Darden Chief Technology Officer Mission Critical Systems 3320 NW 53rd St. Suite 202 Fort Lauderdale, FL 33309 Phone (954)766-2550 x203 Fax (954-766-2580 AIM/MSN FishinCritical =========================================== -----Original Message----- From: kadokev () msg net [mailto:kadokev () msg net] Sent: Thursday, November 21, 2002 2:34 AM To: Kowsik Guruswamy Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Blocking Yahoo IM AIM is still the hands-down winner for getting past firewalls by tunnelling in all sorts of different protocols (their FTP tricks are particularly interesting), but Yahoo! gets an honorable mention for their ugly implementation of HTTP 'polling' for IM, and the ugly attempts the client uses to tunnel their proprietary YMSG protocol through SMTP. I've been playing with writing a fake YMSG server to try to get the clients to believe they are connected, with very little success. Most of the published reverse-engineering covers the obsolete V9 protocol.
You might need to use dst IPs for blocking. Yahoo! is pretty nasty in
that
they tunnel IM traffic through finger, discard, chargen, smtp and even http... Ugly, ugly...
FYI, Yahoo! recently started pushing the new "Messenger 5.5" client to existing users. The new version changes the order in which the various ports are attempted, and is more insistent at trying different ports and destination IPs. I have started to block their servers by IP network, so far I've found a half dozen different subnets (ranging from a couple of /24's to a /19), all used for the messenger servers. If you think you are successfully blocking Yahoo Messenger, by protocol or by destination IP, you might want to take another look. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Blocking Yahoo IM kadokev (Nov 21)
- <Possible follow-ups>
- RE: Blocking Yahoo IM Frank Darden (Nov 21)