Whoops, deleted the last mail :/ Anyway. It could be interestering to know what to look for in the accesslog.... If anyone knows it, I will be glad :) > On Fri, 2 Sep 2005, Lasse [iso-8859-1] Mørk wrote: > >> Is there anyway it is possible to block a Http-tunnel ? > > Yes, block access to the relay server used on the Internet. See > access.log. > >> Its fu....... drivng me nuts, that they have made a tunnel to play World >> = >> Of Warcraft through... > > Fact of life: If there is some communication channel of at least 1 bit > with where you have control of both endpoints (i.e. server and client) > then this can be used to build a tunnel, and it can be masqueraded as > pretty much anything (there is masquerading tunneling "solutions" for > HTTP, DNS, ICMP, IP fragments etc..) > >> Or is the only way to block the host ? If so, how do I find that host ? > > access.log is one way. > > tcpdump another. > > cachemgr open filedescriptors a third. > > > What you should look out for is odd patterns in > > - Same client making very many requests to a given server > - Long running CONNECT requests > - CONNECT requests to odd ports (there is good reasons why the default > config restricts CONNECT to a small set of well known ports only). > > And if you enable log_mime_hdrs these tunnelin agents sometimes can be > identified by their request or response headers. If such identification > can be done then you can make Squid access rules imposing a general ban of > the use of that relay agent (at least until the agent is changed to use > other request/response headers...) > > The most effective cure is to have an enforceable policy for allowable use > of the network resources (including Internet), making it possible to take > significant actions to persons found to abuse the network infrastructure. > Without this in place it may quickly escalate into a war like situation > where the users wanting to do this goes to greater and greater extent in > hiding their actions. > > Regards > Henrik
