Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Blocking Yahoo IM

From: "Frank Darden" <fdarden () locked com>
Date: Thu, 21 Nov 2002 13:41:56 -0500
I have found that Network based IDS systems that allow free form
expression signatures are the easiest way to block these sorts of rogue
protocols. In the case of Yahoo messenger, do a sniff on the
conversation. Youll find that there are unique signatures for the
packets in these conversations (I cant remember off the top of my head,
I think its 2nd offset, 2a02) At any rate, you can use NIDS to send
RST's when it sees the unique signature on the packets, thus breaking
the IM session. Sorry if this is cryptic, and hopefully this will help
steer you in the right direction.

Frank


=======================================
Frank Darden 
Chief Technology Officer
Mission Critical Systems
3320 NW 53rd St. Suite 202
Fort Lauderdale, FL 33309
Phone (954)766-2550 x203
Fax (954-766-2580
AIM/MSN FishinCritical
 ===========================================


-----Original Message-----
From: kadokev () msg net [mailto:kadokev () msg net] 
Sent: Thursday, November 21, 2002 2:34 AM
To: Kowsik Guruswamy
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Blocking Yahoo IM

AIM is still the hands-down winner for getting past firewalls by
tunnelling
in all sorts of different protocols (their FTP tricks are particularly
interesting), but Yahoo! gets an honorable mention for their ugly
implementation of HTTP 'polling' for IM, and the ugly attempts the
client
uses to tunnel their proprietary YMSG protocol through SMTP.

I've been playing with writing a fake YMSG server to try to get the
clients
to believe they are connected, with very little success.  Most of the
published reverse-engineering covers the obsolete V9 protocol.



You might need to use dst IPs for blocking. Yahoo! is pretty nasty in

that

they tunnel IM traffic through finger, discard, chargen, smtp and even
http...

Ugly, ugly...


FYI, Yahoo! recently started pushing the new "Messenger 5.5" client to
existing users.  The new version changes the order in which the various
ports are attempted, and is more insistent at trying different ports and
destination IPs.

I have started to block their servers by IP network, so far I've found a
half dozen different subnets (ranging from a couple of /24's to a /19),
all used for the messenger servers.

If you think you are successfully blocking Yahoo Messenger, by protocol
or
by destination IP, you might want to take another look.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: