Security Basics mailing list archives

Re: How do i stop yahoo with netscreen.

From: Vincent <pros-n-cons () bak rr com>
Date: 30 Aug 2003 07:48:59 -0700

On Fri, 2003-08-29 at 00:24, iain wrote:

Hi all

been asked to block messenger programs on one of my sites, got msn, icq and
aol beat.

But yahoo tried everything, blocked 3 entire subnets and still no joy, any
ideas.


Yahoo is hard to block, not only do they have a boat load of addresses, 
but the software itself is like a bacteria trying to survive, if UDP
wont work it'll try TCP, etc. They don't want people writing 3rd party
chat clients and that's why the mess.
So for the short answer filter these ports ports:

20 23 25 80 119 5050 5000-5010 8000-8010 

Here are auth servers I know of all on port 80:
login.yahoo.com
edit.yahoo.com
edit.my.yahoo.com
edit.europe.yahoo.com
msg.edit.yahoo.com
edit.in.yahoo.com
edit.tpe.yahoo.com

for the YCHT protocol (usually what chat.yahoo.com would get if using
java) 
ports 8001 and 8002 are used AFIK but might go to 8010:
cs1.chat.sc5.yahoo.com
cs2.chat.sc5.yahoo.com
cs3.chat.sc5.yahoo.com
... continues till cs51 two current working examples are
   72 MS CS8.CHAT.SC5.YAHOO.COM [66.163.172.178:8001]
   49 MS CS5.CHAT.SC5.YAHOO.COM [66.163.168.48:8001]

There is also a DHTML (chat2 protocol) on chat.yahoo.com that can use 
tons of ports including 5050 119 80 25 23 20 8001 8002 
(i think it goes up to 8010. the IP's for this appear to be in the
216.136.227.0 range
dcs2.chat.sc5.yahoo.com as an example.

YMSG9 and 10 (older and newer protocol) can use all the same ports as
DHTML 
and a few working addresses are:
   56 MS      SCS.YAHOO.COM [216.136.226.19:5050]
   57 MS  SCS.MSG.YAHOO.COM [66.163.169.149:5050]
   52 MS CS11.MSG.YAHOO.COM [216.136.175.143:5050]
   50 MS CS12.MSG.YAHOO.COM [216.136.175.144:5050]
   69 MS CS13.MSG.YAHOO.COM [216.136.175.145:5050]
   72 MS ACS1.MSG.SC5.YAHOO.COM [216.136.224.142:5050]
   53 MS ACS2.MSG.SC5.YAHOO.COM [216.136.224.143:5050]

here is a list of voice servers that try on 5000-5010
v1.vc.scd.yahoo.com (66.218.70.32)
v2.vc.scd.yahoo.com (66.218.70.33)
v3.vc.scd.yahoo.com (66.218.70.34)
v4.vc.scd.yahoo.com (66.218.70.35)
v5.vc.scd.yahoo.com (66.218.70.36)
v6.vc.scd.yahoo.com (66.218.70.37)
v7.vc.scd.yahoo.com (66.218.70.38)
v8.vc.scd.yahoo.com (66.218.70.39)
v9.vc.scd.yahoo.com (66.218.70.40)
v10.vc.scd.yahoo.com (66.218.70.41)
v11.vc.scd.yahoo.com (66.218.70.42)
v13.vc.sc5.yahoo.com (66.218.70.43)
vc1.vip.scd.yahoo.com (66.218.70.44)

Blocking by the address will be really hard but you could
probably cook some perl script up to verify the address.


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Current thread:

RE: How do i stop yahoo with netscreen. Jimmy Sansi (Sep 02)
- <Possible follow-ups>
- Re: How do i stop yahoo with netscreen. Vincent (Sep 02)