Re: [squid-users] Block HTTP-Tunnel (WOW)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 2 Sep 2005 17:58:49 +0200 (CEST)

On Fri, 2 Sep 2005, Lasse [iso-8859-1] Mørk wrote:

> Is there anyway it is possible to block a Http-tunnel ?

Yes, block access to the relay server used on the Internet. See
access.log.

> Its fu....... drivng me nuts, that they have made a tunnel to play World =
> Of Warcraft through...

Fact of life: If there is some communication channel of at least 1 bit
with where you have control of both endpoints (i.e. server and client)
then this can be used to build a tunnel, and it can be masqueraded as
pretty much anything (there is masquerading tunneling "solutions" for
HTTP, DNS, ICMP, IP fragments etc..)

> Or is the only way to block the host ? If so, how do I find that host ?

access.log is one way.

tcpdump another.

cachemgr open filedescriptors a third.

What you should look out for is odd patterns in

   - Same client making very many requests to a given server
   - Long running CONNECT requests
   - CONNECT requests to odd ports (there is good reasons why the default
config restricts CONNECT to a small set of well known ports only).

And if you enable log_mime_hdrs these tunnelin agents sometimes can be
identified by their request or response headers. If such identification
can be done then you can make Squid access rules imposing a general ban of
the use of that relay agent (at least until the agent is changed to use
other request/response headers...)

The most effective cure is to have an enforceable policy for allowable use
of the network resources (including Internet), making it possible to take
significant actions to persons found to abuse the network infrastructure.
Without this in place it may quickly escalate into a war like situation
where the users wanting to do this goes to greater and greater extent in
hiding their actions.

Regards
Henrik
Received on Fri Sep 02 2005 - 09:58:50 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT