On Tue, 23 Mar 2004, Karl Sumpter wrote:
> I've been seeing users start to tunnel thru my squid caches, especially
> for connecting to IRC servers. I get CONNECT lines in my log either
> going to 6667 (irc default)
This is blocked by the default CONNECT restrictions in the squid.conf
shipped with Squid. See SSL_ports.
> or more sneakily, 443. As there are is a sizable number of irc servers
> my users are connecting to, and the fact CONNECT is used for regular
> https websites, i can't block the method or the hostnames/ip's.
Blocking by destination hostname/ip is basically the only reliable way of
blocking this kind of sneaky abuse.
> I recompiled squid to log user-agents, but again, anything coming in on
> a CONNECT does not show up - i thought at least i could identify the irc
> clients and block them with an "browser" ACL.
Should work..
But this would most likely only buy you some time.. if users find out you
are doging this they will in many cases just change what their tunneling
aplication advertises itself as to make it look like MSIE.
> So i guess what i am asking, is there an easier, more maintainable way
> to stop this rather than spending day after day compiling ip lists for
> multiple servers - I'm really hoping for a one-liner here.
The most effective method is to have a enforceable policy in your termos
of use where users abusing the service in this manner get a noticable
penalty.
This solution is mostly a adminastrative one, technology is just a tool to
help you monitor and maintain the set policy.
Regards
Henrik
Received on Wed Mar 24 2004 - 02:35:25 MST
This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST