Blocking Kazaa Connections
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Blocking Kazaa Connections

  1. #1
    Member
    Join Date
    May 2002
    Posts
    82

    Angry Blocking Kazaa Connections

    Greetz all, been a while...

    I've been looking around for different ways to keep users on a network from using Kazaa. Most of the users are knowledgable enough that if I manipulate the stations themselves, they'd change it back or work around it. I'm looking for the silver bullet, so to speak. I want to block it at the gateway (OpenBSD box).

    Although I've seen quite a few threads here and there on the subject, no one seems to have come up with a difinative answer on the matter, and I was wondering if any of you have figured this out. Pray tell!

    Thanx a mill!

    Rev
    Many will ask, \"Where do you want to go today?\" because they\'re still scratching for ideas.

    With *NIX, there\'s already a way. The sum of us just need roadmaps to get there.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes,

    Kazaa places peer info in a registry key. This means that anything you try with a firewall will ultimately fail in blocking the traffic. The *only* way that I have been able to block this traffic has been with Websensehttp://www.websense.com. The problem here is that Websense costs a few bucks and requires at least two beefy servers.

    Other than that, restricting installation of software on the workstation would be your last resort.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Kazaa also sends out it's initial SYN on port 1214. Upon failure it switches down 80 I believe which you can't block. However if you have your firewall alert you on port 1214 connections then you can determine which computer and then deal appropriately with the keyboard to seat interface, (the (L)user)...... It works for me..... only had one attempt...... then the word went out..... "Tiger Shark gets real pissy if you......." <snikker>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Member
    Join Date
    May 2002
    Posts
    82
    peer nfo as in IP addresses, right? When the software is installed does it place random addys, or is it something that the software remembers as it goes along and makes the connections? What I'm getting at is this... I have a weekend where I'll be cleaning out all the stations. If I remove all the instances of Kazaa, and their registry keys, is there a small list of servers it will try and connect to initially after it's install? If that can be stopped, then surely it won't be able to connect and the registry list can't grow, right? (/me hopes?)
    Many will ask, \"Where do you want to go today?\" because they\'re still scratching for ideas.

    With *NIX, there\'s already a way. The sum of us just need roadmaps to get there.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, we too employ the "deskside visit". The word does spread and we do see much less attempts, however, I deal with 10k users so there is always some clown who thinks he can beat the system - how sadly mistaken they are

    Anyway, the predefined peers in the registry key, to date, have not been posted here on AO. I looked at the key briefly and it wasn't as simple as a list in a REG_SZ key. The Kazaa key is a binary entry, which after looking at it, is nothing more than crypto babble (on the surface ofcourse). So the answer is, to date, no one here knows exactly what peers are listed statically or if there is some type of calculation that is performed to come up with a peer.

    Again, you'll need a solution at your gateway which is able to block specific protocols, you'll need to set triggers in whatever you use to monitor firewall logs (or IDS logs) or you have to prevent users from installing software on the workstations (via group policy or local security policy). That about sums it up.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    The option which springs to mind, aside from using things like "Layer 7 packet classifier"

    http://l7-filter.sourceforge.net/

    Or commercial alternatives, would be:

    - Set up a transparent proxy
    - Discover what URL patterns Kazaa uses
    - Add rules to the proxy configuration to block requests for URL patterns known to be used by Kazaa
    - Block all outgoing connections not going through the transparent proxy

    Slarty

  7. #7
    Member
    Join Date
    May 2002
    Posts
    82
    Argh! And I thought I was going to be able to relax today... Oh well... Time to get at it. I'll play with it and let you know what I come up with. Thanx for the ideas.

    Rev
    Many will ask, \"Where do you want to go today?\" because they\'re still scratching for ideas.

    With *NIX, there\'s already a way. The sum of us just need roadmaps to get there.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Jazz: If you come up with a workable, "generic" fix for Kazaa I would be interested in seeing your solution..... I don't have a problem with it but I would like to stop it period rather than have to wander down to someone's desk and hurt my hand on the side of their head.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Muhwahahahaa! Isn't the act of showing up with a perma-scawl on your face part of the fun of being a network nazi??!! Well, that's what we've been labled as anyway...

    We built rules based on Kazaa traffic patterns but it seems that each new release of Kazaa comes with distinct changes in how it interoperates with other peers. We got tired of chasing end users around and coming up with reliable rulesets so we installed Websense and have had no issues to date even with the new releases of Kazaa.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Originally posted here by thehorse13
    Muhwahahahaa! Isn't the act of showing up with a perma-scawl on your face part of the fun of being a network nazi??!! Well, that's what we've been labled as anyway...
    Look Hoss..... I'm knocking on a bit now...... The perma-scowl is perma through so many years of it being there and I'm getting arthritis from too many nights out crawling through cold, wet mud to make a living...... So..... Anything I can do to preserve this stunning body of mine I will.......

    We built rules based on Kazaa traffic patterns but it seems that each new release of Kazaa comes with distinct changes in how it interoperates with other peers. We got tired of chasing end users around and coming up with reliable rulesets so we installed Websense and have had no issues to date even with the new releases of Kazaa.
    Yeah.... and the more the RIAA/MPAA screw with the system the harder this is going to be to detect let alone stop..... They are really shooting themselves in the foot by making it consistently harder for us nice, law-abiding sysadmins from helping them to minimize the traffic......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides