The ICMP tunnelling trick was quite nifty. It will light most pieces of network monitoring softwares up like Christmas trees, though, but chances are public hotspot providers do not monitor traffic that closely.
Phillip Simbwa <[email protected]> wrote: >Godfrey, > >How knowledgeable & resourceful are these chaps you are trying to >block from doing their facebook rituals? > >If these dudes figured out the https trick, then its a matter of time >before they consider the following: > >1. Using raw IPs: e.g http://69.171.247.21 or the dword equivalents >such as: http://1168897813 (got from 69x256^3 + 171x256^2 + 247x256 + >21). This may work on very weak filtering systems, but on a lazy day >will get the dudes to their shrine. This doesn't require any special >knowledge on the side of your stress boys. > >2. Free Web proxies such as CTunnel & Anonymous: No special knowledge >required. http://ctunnel.com/ and http://anonymouse.org/anonwww.html > >3. Tor/Vidalia. This again may work on your network if you don't block >tor traffic at your gateway. This doesn't require any special >knowledge on the side of your stress boys > >4. SSH tunneling: Easy if one of your stress boys runs a server >somewhere. Wrote something related to this. Check this out: >http://www.mail-archive.com/[email protected]/msg17050.html . This one >is for the privileged few. > >5. VPN tunneling: Any chap using this to beat your network filtering >has a VPN server running somewhere and is somewhat privileged. > >6. ICMP Tunneling: The stress boy running this one not only has root >access on a Linux box with internet access but he knows a little more >than your average computer user. >http://neverfear.org/blog/view/9/Using_ICMP_tunneling_to_steal_Internet > >7. DNS tunneling: http://dnstunnel.de/ http://code.kryo.se/iodine/ >http://heyoka.sourceforge.net/ This, just like ICMP tunneling requires >a dude to have access to a linux box reacheable over the Internet. >Root access is preferred. > >So what are your options: > >1. Deploy SQUID + Dansguardian/Squid Guard: If you can't do it from >scratch, just install ClearOS http://www.clearfoundation.com/ and ping >me to send you custom dansguardian-av & squid config files to use if >you are interested. ClearOS has a protocol filter to block TOR >traffic as well. For HTTPS, I would recommend using a blanket block >("**s" in your dansguardian-av bannedsitelist. > >2. Use SNORT to detect tunnels and together with your firewall; take >punitive action on whoever tries any form of tunneling on your >network. This will require that you do packet analysis to build >signatures for snort. > >3. Internal DNS server: As mentioned by Benjamin & Kyle, this could >help and more so with option 1 & 2 above. > >The above should handle 80% of your blocking needs. Then with good >scripting, add the time element esp. for snort and the firewall. Squid >handles time based access well. > >Cheers, > >-- >- Phillip. > >“Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in >waht >oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the >frist >and lsat ltteer are in the rghit pclae. > The rset can be a toatl mses and >you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed >ervey lteter by it slef but the wrod as a wlohe and the biran fguiers >it >out aynawy." >_______________________________________________ >The Uganda Linux User Group: http://linux.or.ug > >Send messages to this mailing list by addressing e-mails to: >[email protected] >Mailing list archives: http://www.mail-archive.com/[email protected]/ >Mailing list settings: http://kym.net/mailman/listinfo/lug >To unsubscribe: http://kym.net/mailman/options/lug > >The Uganda LUG mailing list is generously hosted by INFOCOM: >http://www.infocom.co.ug/ > >The above comments and data are owned by whoever posted them (including >attachments if any). The mailing list host is not responsible for them >in any way.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
