Re: [Full-disclosure] Kazaa

[trains@xxxxxxxxxxxxxx]

Quoting James_gmail-ij <ij3n0spam@xxxxxxxxx>:

> > Other than removing Kazaa and preventing installation, how else can I block
> > it from being used?
>
> At the firewall, with some additonal programming. There was an 
> article in one of
> the Linux Magazines - LinuxJournal? - some time ago. Dont have the 
> Mag. to hand.

I remember this article:   http://linuxjournal.com/article/6945

> There are various modes, designed to evade trivial block rules. The
> article examines
> the protocols in detail and describes how to defeat it completely.

At the time, I used the article's info to put together some snort 
rules, etc, but the protocol proved to be very adaptive.  and it has 
mutated since 2003.

My current best effort is to not block the initial conversation setup.  
the same goes for bittorrent.  If you try to block it, it just keeps 
adapting till it gets through.  you will lose that game.  What I do 
instead is capture the initial kazaa and bittorrent traffic with snort, 
then shun the outside servers for one hour.  It doesn't stop kazaa or 
bittorrent from working, but it does make the products work very, very 
poorly.  Over time, we have seen a significant drop in the amount of 
traffic, and bittorrent traffic has dropped to nearly zero.

The reason you have to let the initial traffic burst out is because the 
first protocol it tries is easy to monitor and dissect.  the later, 
adaptive traffic is harder to associate and dissect.

t


-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services@xxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/