Solved: Blocking out ICQ traffic on 2620 router

vincent-n · ‎02-02-2004

I needed to block out all ICQ traffic that goes out of my network. Did a search on the Internet and found that ICQ uses two possible port numbers of 4000 and 5190. I've configured both of these ports and it seemed to do the trick BUT ... I found out that ICQ can also use HTTP, HTTPS, SOCKS4, and SOCKS5 as transport protocol and now I would like to know how to block these "extra" ICQ traffic. I 've thought of:

1. Blocking out TCP traffic on port 80/8080 with string "http://login.icq.com".

2. Blocking out ALL outgoing IP traffic destined to www.icq.com, login.icq.com (these are resolvable through DNS)

Can someone tell me how I can do the above task? expecially the 1st option. Thanks in advance for your help. Are there other options that I can use apart from the above?

shannong · ‎02-02-2004

Your 2620 will be limited in helping you stop this traffic. You could write a custom NBAR module to look for that in HTTP headers, but that's assuming they actually have login.icq.com in the http headers. They might not. You'll have to check and see.

You really asking for content filtering. Surfcontrol is affordable and does this well and doesn't sit inline to the firewall/router.

An IDS sensor could do this for you also. You have a rish inspection engine that can find almost anything in a packet and RST, shun/block, etc

Blocking by IPs is a pain in the neck and ICQ will change/add them over time.

A effective, simple method that works 99% is simply creating a bogus icq.com domain on your internal DNS. Since your DNS server thinks its authoritative, it won't query the real servers. Therefore, ICQ clients won't be able to connect unless they point to outside DNS. If you only allow your internal DNS server the right to use outbound UDP/53, this requires clients to figure out its a DNS issue, get the names and IP needed, and put them in local hosts file. Of course, users shouldn't have admin access to edit the hosts file. Of course, they also shouldn't have admin access to install the ICQ software either..... It's a tough battle. ;)

View solution in original post

shannong · ‎02-02-2004

Your 2620 will be limited in helping you stop this traffic. You could write a custom NBAR module to look for that in HTTP headers, but that's assuming they actually have login.icq.com in the http headers. They might not. You'll have to check and see.

You really asking for content filtering. Surfcontrol is affordable and does this well and doesn't sit inline to the firewall/router.

An IDS sensor could do this for you also. You have a rish inspection engine that can find almost anything in a packet and RST, shun/block, etc

Blocking by IPs is a pain in the neck and ICQ will change/add them over time.

A effective, simple method that works 99% is simply creating a bogus icq.com domain on your internal DNS. Since your DNS server thinks its authoritative, it won't query the real servers. Therefore, ICQ clients won't be able to connect unless they point to outside DNS. If you only allow your internal DNS server the right to use outbound UDP/53, this requires clients to figure out its a DNS issue, get the names and IP needed, and put them in local hosts file. Of course, users shouldn't have admin access to edit the hosts file. Of course, they also shouldn't have admin access to install the ICQ software either..... It's a tough battle. ;)