This is an article I had. Good information.

Blocking Chat Programs - Nov. 29, 2001

(Updated Nov 29 with some more information on MSN Messenger subnet in use and Yahoo! Messenger addresses. Updated Nov 12 with changes for ICQ, thanks to Adrei Fisenko. Updated Nov 9 with some more information on blocking MSN Messenger. Updated August 29, with changes to AOL and ICQ subnets. Thanks to Kevin Sinclair).

A lot of people seem to have problems blocking Chat programs, specifically AOL Instant Messenger, MSN Messenger, Yahoo! Messenger and ICQ. Here is some information that may help you cut these programs off at the BorderManager server. Thanks to Kevin Sinclair for his input on the IP subnets and Yahoo Messenger on this.

Background:

Chat programs are very popular, and many are designed to be 'easy to use'. In order to be easy to use, they are designed to work under a wide variety of connectivity conditions, and automatically configure themselves for connection by whatever means is available. This automatic configuration makes it both easy to use, and harder to block, because the programs themselves will go through a trial-and-error sequence of looking for open ports to connect through, and use proxies if possible. Often, proxy settings will be picked up from Internet Explorer, but the programs usually want to make a direct TCP connection to a central server to start.

The way these programs work is that a connection must be made to a central server, through which communications to other users are established. This is the key to blocking these programs - deny them access to the central servers, and they cannot work.

A 3-Pronged Approach

There are three areas to consider when trying to block the programs from accessing their 'login' servers.

1. Filter Outbound Traffic

This method is the most basic, and used to work well before the programs got more sophisticated. It is ESSENTIAL to have at least the BorderManager default filters installed and enabled! The default filters WILL BLOCK ALL of these programs when they try to access the Internet. You have a problem only if you have not installed the filters (use LOAD BRDCFG to do so), are not running the filters, or you have set up exceptions that allow traffic. If you do not feel comfortable working with filter exceptions, call in a consultant <http://nscsysop.hypermart.net/craigbio.html> who does, or learn about filtering yourself - here's a link to my book <http://nscsysop.hypermart.net/filtbook.html> on configuring filters and exceptions for BorderManager.

Normally, AOL Instant Messenger uses TCP destination port 5190. MSN Messenger tries to use TCP destination port 1863. Yahoo! Messenger uses port 80. ICQ uses a range of port numbers, defaulting to UDP destination ports 2000-4000, but has so many options it is almost futile to try to figure them out. Recent versions of ICQ (2000b) may default to the AOL port 5190, since AOL bought ICQ.

All of these programs are revised often enough that you need to research each new version that comes out to see if something has changed. This documentation was written to AOL Instant Messenger version 3.0N, MSN Messenger 3.5.0077, and ICQ versions 99a and 2000b.

Once you have blocked a direct connection, the programs must try to connect via a proxy. The default filters should block all of the Chat programs listed above from connecting by bypassing a proxy.

If you have set up filter exception and dynamic NAT, some of these program may make connections through otherwise safe port numbers, like DNS! (See approach number 3 in this case).

2. Block Access to Login Servers via Proxy

The programs generally have options to connect behind a firewall by entering proxy information, such as HTTP, SOCKS, or other. Some will pick up the proxy configuration information to try from Internet Explorer settings. Blocking a connection through a proxy is generally pretty easy as all you have to do is enter the proper Deny URL rule. Generally, the only proxy that will be used here is the HTTP Proxy, possibly the Transparent HTTP Proxy.

The key here is to deny whatever login server is called out in the configuration options for the chat program. Some may show you a configurable entry, while others (like MSN Messenger) hide it.

Login server names - set up a Deny URL access rule for these sites

· AOL Instant Messenger: oscar.login.aol.com

· MSN Messenger: gateway.messenger.hotmail.com (was login.gateway.hotmail.com)

· ICQ: login.icq.com and http.proxy.icq.com (Was icq.mirabilis.com and login.icq.com previously)

· Yahoo! Messenger: msg.edit.yahoo.com/*

(Yahoo! Messenger: Might also need to block messenger.yahoo.com/* and http.pager.yahoo.com/* Be sure to type in the http on that last URL).

3. Redirect Traffic to Login Servers via Dummy Static Routes

The first method should stop the usual connection routines, and the second should stop access via a proxy (HTTP or SOCKS), but what if the chat program piggybacks onto a DNS proxy (which ignores access rules) or you have configured filter exceptions to allow outbound DNS?

This is where we, the all-powerful firewall admins, get evil and tricky. We must determine the IP subnet of the login servers, and use a series of static routes to reroute traffic to those subnets to the bit bucket. As long as all traffic to the Internet has to go through the BorderManager server, this method will ALWAYS work. However, it is subject to those login servers staying on those same subnets! If the login servers are relocated to another subnet, this method will have to be updated with new addressing information. This method is also a real sledgehammer approach - you won't be able to make an exception for the admin (you) to get through and block everyone else.

A related method here would be to enter dummy DNS entries for the login hosts (such as in the BorderManager HOSTS file and any internal DNS servers), but that is relatively easily countered by someone knowing what the real IP addresses of the login servers are.

Kevin Sinclair recently posted this information on the Novell Public Forums, in June 2001. Be sure to do some testing on your own to make sure something hasn't changed by the time you try this.

Entering a static route in NetWare:

LOAD INETCFG, go to Protocols, TCP/IP, and go into LAN Static Routing Table. Make entries for Network with the network numbers listed below, using a next hop of an IP address that is within a network directly attached to the BorderManager server. (Don't use an IP address actually assigned to the server, or 127.0.0.1). For instance, if you have a private IP address of 192.168.1.1 bound to the BorderManager server, you can use a next hop address of 192.168.1.2 through 192.168.1.254 and it should work. If you were to put in an address such as 10.0.0.1 (with no 10.x.x.x network address bound to the server), it will be ignored, and the traffic will still be sent out via the default route.

To redirect AOL Instant Messenger:

AOL's login servers are on these subnets/addresses:, 205.188.3.0, 205.188.5.0, 205.188.7.0, 64.12.161.153 and 64.12.161.185.

To redirect ICQ:

Redirect the networks 205.188.179.0, 205.188.162.0 and host 64.12.162.57. As of Nov 12, you may also need to redirect (at least) 64.12.163.132.

To redirect MSN Messenger:

I tested on Nov. 9, and there were multiple login servers, where in the past there was only one. By Nov. 29, it appeared that there were login servers at addresses 64.4.13.171 through 64.4.13.190. Microsoft may be adding even more in the future. I was still able to block MSN Messenger with just default filter exceptions and the Access Rule listed above, but should a new version of MSN Messenger come out that is able to slip by the proxy rules, try redirecting an entire subnet. Redirecting subnet 64.4.13.160 (255.255.255.224) will prevent traffic from reaching all addresses from 64.4.13.161 through 64.4.13.191. (Changing that subnet to 64.4.13.128 and the subnet mask to 255.255.255.128 would expand the blocking to 64.4.13.129 through 64.4.13.255).

To redirect Yahoo! Messenger:

So far I have not had to redirect Yahoo! Messenger, but simply used an Access Rule as listed above (like MSN Messenger). However, a reader reports the following addresses in use on Nov. 29, 2001, should you want to try the redirection technique.

csXX.msg.yahoo.com Series

216.136.175.143-145

216.136.225.83-48

216.136.225.12

csXX.msg.sc5.yahoo.com Series

216.136.226.209-210

216.136.227.166-167

Finding Out How A Program Gets Through HTTP Proxy

Here's one technique I use to find out what needs to be blocked. I used this to track down what Yahoo Messenger was connecting to, so I could set up access rules to block it.

1. Use a user account that doesn't have a lot of traffic, or is set up just for this test. This is so you can easily see what is being accessed in your testing.

2. Enable proxy authentication. This is so that the user account you are testing with shows up in the logs.

3. Set up an Allow All URL access rule at the top of the rules list, with Source = the NDS user account you are testing with. Enable rule logging.

4. Connect to the web site/service. (For Yahoo Messenger, try to login.)

5. Check the Access Rule logs for the last 30 minutes or so to see what was allowed, find the test user account, double-click on it, and look at the URL's.

6. Set up a Deny URL rule right above the Allow URL for the test user, enable logging on it, and enter a URL to deny. Wildcards are allowed.

7. Test again. If the Deny rule worked, you will see that in the Access Rule logs. If the login worked, the software may have tried a second option you also have to deny, or your Deny rule may have the wrong syntax. Also, when the access rules deny a site, you should see, in the Proxy Console screen on the BorderManager server, an immediate increase in the "Failed" statistic.

References: <http://nscsysop.hypermart.net/no_chat.html>

<http://www.practicallynetworked.com/sharing/app_port_list.htm>

<http://www.iana.org/assignments/port-numbers>

<http://www.networkice.com/advice/Exploits/Ports/>

I installed all three programs on an inside host, then sniffed as they accessed the network. AOL and Microsoft Messenger were easiest to block, but Yahoo is the hardest.

The below access list, applied to the inside interface of the PIX,

access-group xxx in interface inside

blocks hosts inside your network from accessing the login servers. Be prepared to sniff regularly as new servers are added.

access-list 102 deny tcp any any eq 1863

access-list 102 deny tcp any host 24.71.200.68

access-list 102 deny tcp any host 63.250.206.50

access-list 102 deny tcp any host 64.4.13.17

access-list 102 deny tcp any host 64.4.13.83

access-list 102 deny tcp any host 64.4.13.170

access-list 102 deny tcp any host 64.4.13.171

access-list 102 deny tcp any host 64.4.13.173

access-list 102 deny tcp any host 64.4.13.180

access-list 102 deny tcp any host 64.4.13.183

access-list 102 deny tcp any host 64.4.13.186

access-list 102 deny tcp any host 64.4.13.187

access-list 102 deny tcp any host 64.4.13.189

access-list 102 deny tcp any host 64.12.25.243

access-list 102 deny tcp any host 64.12.27.208

access-list 102 deny tcp any host 64.12.28.96

access-list 102 deny tcp any host 64.12.161.153

access-list 102 deny tcp any host 64.12.161.185

access-list 102 deny tcp any host 64.29.219.171

access-list 102 deny tcp any host 64.54.195.253

access-list 102 deny tcp any host 64.29.219.171

access-list 102 deny tcp any host 65.54.195.253

access-list 102 deny tcp any host 152.163.214.75

access-list 102 deny tcp any host 152.163.214.76

access-list 102 deny tcp any host 152.163.214.108

access-list 102 deny tcp any host 152.163.214.109

access-list 102 deny tcp any host 152.163.241.121

access-list 102 deny tcp any host 152.163.241.129

access-list 102 deny tcp any host 152.163.242.28

access-list 102 deny tcp any host 152.163.242.24

access-list 102 deny tcp any host 152.163.241.120

access-list 102 deny tcp any host 152.163.241.128

access-list 102 deny tcp any host 152.163.241.96

access-list 102 deny tcp any host 166.90.133.200

access-list 102 deny tcp any host 166.90.133.199

access-list 102 deny tcp any host 204.71.177.35

access-list 102 deny tcp any host 204.71.200.36

access-list 102 deny tcp any host 204.71.200.37

access-list 102 deny tcp any host 204.71.200.54

access-list 102 deny tcp any host 204.71.200.55

access-list 102 deny tcp any host 204.71.201.47

access-list 102 deny tcp any host 204.71.201.48

access-list 102 deny tcp any host 204.71.201.134

access-list 102 deny tcp any host 204.71.201.141

access-list 102 deny tcp any host 204.71.202.58

access-list 102 deny tcp any host 204.71.202.59

access-list 102 deny tcp any host 204.71.202.73

access-list 102 deny tcp any host 205.188.1.56

access-list 102 deny tcp any host 205.188.4.106

access-list 102 deny tcp any host 205.188.147.114

access-list 102 deny tcp any host 205.188.153.0

access-list 102 deny tcp any host 205.188.153.97

access-list 102 deny tcp any host 205.188.153.98

access-list 102 deny tcp any host 205.188.153.99

access-list 102 deny tcp any host 205.188.153.100

access-list 102 deny tcp any host 206.65.183.25

access-list 102 deny tcp any host 207.46.182.140

access-list 102 deny tcp any host 207.46.183.253

access-list 102 deny tcp any host 207.68.167.254

access-list 102 deny tcp any host 207.68.175.108

access-list 102 deny tcp any host 207.68.172.251

access-list 102 deny tcp any host 207.68.172.253

access-list 102 deny tcp any host 207.68.178.251

access-list 102 deny tcp any host 207.68.183.59

access-list 102 deny tcp any host 207.68.184.62

access-list 102 deny tcp any host 209.132.1.29

access-list 102 deny tcp any host 216.49.88.97

access-list 102 deny tcp any host 216.115.102.92

access-list 102 deny tcp any host 216.115.105.214

access-list 102 deny tcp any host 216.115.105.215

access-list 102 deny tcp any host 216.115.106.96

access-list 102 deny tcp any host 216.115.106.217

access-list 102 deny tcp any host 216.115.107.63

access-list 102 deny tcp any host 216.115.107.64

access-list 102 deny tcp any host 216.115.107.65

access-list 102 deny tcp any host 216.115.107.66

access-list 102 deny tcp any host 216.115.107.67

access-list 102 deny tcp any host 216.115.107.101

access-list 102 deny tcp any host 216.115.107.102

access-list 102 deny tcp any host 216.115.107.104

access-list 102 deny tcp any host 216.115.107.105

access-list 102 deny tcp any host 216.115.108.33

access-list 102 deny tcp any host 216.115.233.134

access-list 102 deny tcp any host 216.122.100.172

access-list 102 deny tcp any host 216.136.172.221

access-list 102 deny tcp any host 216.136.173.172

access-list 102 deny tcp any host 216.136.173.174

access-list 102 deny tcp any host 216.136.173.179

access-list 102 deny tcp any host 216.136.174.173

access-list 102 deny tcp any host 216.136.175.132

access-list 102 deny tcp any host 216.136.175.142

access-list 102 deny tcp any host 216.136.175.143

access-list 102 deny tcp any host 216.136.175.144

access-list 102 deny tcp any host 216.136.175.226

access-list 102 deny tcp any host 216.136.224.142

access-list 102 deny tcp any host 216.136.224.213

access-list 102 deny tcp any host 216.136.224.214

access-list 102 deny tcp any host 216.136.225.11

access-list 102 deny tcp any host 216.136.225.12

access-list 102 deny tcp any host 216.136.226.254

access-list 102 deny tcp any host 216.136.226.209

access-list 102 deny tcp any host 216.136.226.210

access-list 102 deny tcp any host 216.136.227.11

access-list 102 deny tcp any host 216.136.227.12

access-list 102 deny tcp any host 216.136.227.168

access-list 102 deny tcp any host 216.136.233.131

access-list 102 deny tcp any host 216.136.233.132

access-list 102 deny tcp any host 216.136.233.134

access-list 102 deny tcp any host 216.136.233.135

access-list 102 deny tcp any host 216.136.233.136

access-list 102 deny tcp any host 216.136.233.137

access-list 102 deny tcp any host 216.136.233.138

access-list 102 deny tcp any host 216.136.233.172

access-list 102 deny tcp any host 217.12.4.71