Home page logo
/

basics logo Security Basics mailing list archives

RE: Filtering new KaZaa!!!
From: Ghaith Nasrawi <libero () aucegypt edu>
Date: Sat, 02 Nov 2002 22:33:19 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can also make your blocking decision based on content. From my
observations, these P2P programs have specific header for every
transaction which can be easily blocked!

RGdS!

G.

=====================================

"The function of intellignece is therefore not that of copying the
objects of the environment, but rather of taking account of the way
in which more effictive and more profitable relations with these
objects maybe established in the future", John Dewey


- -----Original Message-----
From: Soporte [mailto:soporte () opticalip com pe] 
Sent: 31 ??????, 2002 02:31 ?
To: security-basics () securityfocus com
Subject: Filtering new KaZaa!!!

Hi Guys!!!
 
I am trying to block KaZaa using access lists, I read many
tips like blocking port 1214, block the Morpheus network, but
with the latest version of KaZaa it seems that not work, why?
Let me explain...
I have Kazaa Media Desktop 2.0 (Built: Friday, September 20,
2002 16:14:03), a Network Protocol Analyzer (Ethereal Version
0.9.7) and a Cisco Catalyst 6509 (IOS MSFC2 Software C6MSFC2-
IS-M Version 12.1 E4)

1) Running the sniffer and then starting Kazaa I found that
the first contact 
with its server is a dns query for
"www.altnetp2p.com <http://www.altnetp2p.com> " (217.116.227.249),
that has an alias
named "media.altnet.com", then I blocked any traffic to that
target with the following access-list and then applied to the
interface:
 
access-list 100 deny   ip any host 217.116.227.249
access-list 100 permit ip any any
 
interface Vlan12
 ip access-group 100 in
 
 
Then the client still conect to Kazaa but the initial dektop
was down.
 
2) Flushing my dns cache (ipconfig 
/flushdns) and then rerun
the sniffer and then Kazaa, we found that when the client can
not get any response from "www.altnetp2p.com
<http://www.altnetp2p.com> "
(217.116.227.249) try for "desktop.kazaa.com"
(217.116.226.13, 217.116.226.11, 217.116.226.12) and have the
alias "rr1.kazaa.com", then I block it too:
 
access-list 100 deny   ip any host 217.116.227.249
access-list 100 deny   ip any host 217.116.226.11
access-list 100 deny   ip any host 217.116.226.12
access-list 100 deny   ip any host 
217.116.226.13
access-list 100 permit ip any any
 
And again the client still conect to Kazaa.
 
3) Again I load the sniffer and then the client and I see a
dns query for "www.cms1.net <http://www.cms1.net> " (209.73.225.7)
and for
"servedby.advertising.com" (209.225.0.6) with the following
conections:
 
http://209.73.225.7/scripts/cms/CmsInit.ASP?ID=200101&D2=%3F%
<http://209.73.225.7/scripts/cms/CmsInit.ASP?ID=200101&D2=%3F%> 
3F%3F%3F%3F%3F%3F%3F%3F%3F%40%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3
F%3F%
3F%3F&AW=291&LV=3210&CU=22068156
 
I have the following output from the browser, I do not know
what is this?
DATA_OK W_STR [C=101][V=] W_STR [C=103][V=] W_STR [C=100][V=]
W_STR [C=102][V=] W_STR [C=104][V=] W_INT [C=33][V=22068156]
W_INT [C=34][V=1036021229]
 
http://209.225.0.6/site=94237/size=468060/bnum=26639628/optn
<http://209.225.0.6/site=94237/size=468060/bnum=26639628/optn> =
1
 
I got a file with a link that target some kind of ad-ware:
http://servedby.advertising.com/site=0000094237/mn
um=00000742
<http://servedby.advertising.com/site=0000094237/mnum=00000742> 
13/genr=1/logs=0/mdtm=1033158880/bins=1/optn=1 border=0
width=468 height=60 alt='Click to learn more...'
I block the traffic to this targets:
 
access-list 100 deny   ip any host 217.116.227.249
access-list 100 deny   ip any host 217.116.226.11
access-list 100 deny   ip any host 217.116.226.12
access-list 100 deny   ip any host 217.116.226.13
access-list 100 deny   ip any host 209.73.225.7
access-list 100 deny   ip any ho
st 209.225.0.6
access-list 100 permit ip any any
 
But the client still connect to the server... and also have
adware???

4) Once again I run the sniffer and Kazaa, and something interesting
come on this session, I have a set of request to 5 servers via UDP,
at this point I tried to restrict the traffic to that address but
again appears other 5 server with differently address, and again,
and again and again..., I have a access-list of more 20 lines with
this
servers and always appears new servers
, but I noticed that all
request was made from the port 2210 of my box, then I restrict the
sessions in UDP from this port to any server:
 
access-list 100 deny   ip any host 217.116.227.249
access-list 100 deny   ip any host 217.116.226.11
access-list 100 deny   ip any host 217.116.226.12
access-list 100 deny   ip any host 217.116.226.13
access-list 100 deny   ip any host 209.73.225.7
access-list 100 deny   ip any host 209.225.0.6
access-list 100 deny   udp any eq 2210 any
access-list 100 permit
 ip any any
 
And YEEEEESSSSSS!!!! but not... the client shoots to all the servers,
all with differents port, only 3 with the famous 1214 port and also
a server with port 23 listening??? neither a selectable range of
ports to filter, nothing ...and the client still get connected,
but this time is noticeable a great delay to connect

12.142.98.106 2840
12.164.62.138 1597
12.246.228.24 2307
12.248.43.68 3722
12.253.110.209 2990
128.111.39.144 1776
128.138.31.119 2473
128.195.155.220 23
128.2.1
50.155 3560
128.61.67.141 3649
129.118.184.29 2411
129.15.134.165 1643
129.24.71.171 2410
129.25.29.86 3766
129.8.42.27 1889
129.89.127.190 3213
129.93.205.198 2625
129.93.210.173 3489
131.212.152.49 3019
134.53.110.117 3529
134.53.169.34 2816
137.28.124.59 3781
137.28.242.96 1333
137.45.61.3 3909
137.45.65.170 3858
137.49.217.25 3496
137.49.223.120 1293
137.49.223.152 2705
137.99.138.136 1931
137.99.146.187 3939
137.99.154.20 1652
137.99.154.200 1659
137.99.160.178 1504
139.78.59.1
34 2703
141.150.15.199 2797
141.164.92.110 2292
141.233.32.231 3916
146.7.156.219 2360
147.126.37.96 2078
149.159.94.102 1217
149.159.94.64 2137
150.252.97.171 3854
151.197.114.67 1891
152.19.229.130 2770
155.101.67.110 3465
165.134.182.216 3125
172.144.88.103 2372
18.240.0.98 3029
198.82.83.161 1214
198.82.90.236 1214
198.82.94.63 3792
198.82.96.196 1214
204.38.200.91 2995
207.246.190.46 2597
216.195.24.112 1191
24.136.33.54 1515
24.185.21.1 2455
24.186.209.52 3377
24.186.50.127 15
77
24.191.17.32 2647
24.242.82.191 3319
24.247.217.194 1550
24.28.166.114 1059
24.31.230.20 2523
24.46.240.19 1233
24.46.69.103 3644
24.46.78.39 1777
24.60.120.239 1542
24.94.179.22 3264
24.95.47.237 1734
65.29.85.113 2741
65.32.138.101 3545
66.169.203.165 3288
66.57.129.156 1822
66.57.185.15 1983
66.69.232.3 2522
66.75.187.240 1635
66.8.219.62 1528
66.90.145.149 3797
 
At this time my last attempt was filter any ip conection to
that address, I finished with a access-list of near 100 
lines but
via tcp new addresses appears, and as I said before there is not
a defined range of ports to try to filter, and the client still
get connected!!!
What happened??? This is like the client have a list with a lot
of servers to try to connect!!! If somebody have any idea please
let me know I will be very happy.
 
 
 
        Rick McCasttle
        Anti-KaZaa kid!!!


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPcQXr6RW4RQby1QuEQKcjACfd8OEYtSiW2G3wjYeTXE5YGM/zm8AoLzh
L+nJSkN5HyClOrh1ZL2Z6ooX
=SgsN
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault