Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking out ICQ traffic on 2620 router

I needed to block out all ICQ traffic that goes out of my network. Did a search on the Internet and found that ICQ uses two possible port numbers of 4000 and 5190. I've configured both of these ports and it seemed to do the trick BUT ... I found out that ICQ can also use HTTP, HTTPS, SOCKS4, and SOCKS5 as transport protocol and now I would like to know how to block these "extra" ICQ traffic. I 've thought of:

1. Blocking out TCP traffic on port 80/8080 with string "http://login.icq.com".

2. Blocking out ALL outgoing IP traffic destined to www.icq.com, login.icq.com (these are resolvable through DNS)

Can someone tell me how I can do the above task? expecially the 1st option. Thanks in advance for your help. Are there other options that I can use apart from the above?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Blocking out ICQ traffic on 2620 router

Your 2620 will be limited in helping you stop this traffic. You could write a custom NBAR module to look for that in HTTP headers, but that's assuming they actually have login.icq.com in the http headers. They might not. You'll have to check and see.

You really asking for content filtering. Surfcontrol is affordable and does this well and doesn't sit inline to the firewall/router.

An IDS sensor could do this for you also. You have a rish inspection engine that can find almost anything in a packet and RST, shun/block, etc

Blocking by IPs is a pain in the neck and ICQ will change/add them over time.

A effective, simple method that works 99% is simply creating a bogus icq.com domain on your internal DNS. Since your DNS server thinks its authoritative, it won't query the real servers. Therefore, ICQ clients won't be able to connect unless they point to outside DNS. If you only allow your internal DNS server the right to use outbound UDP/53, this requires clients to figure out its a DNS issue, get the names and IP needed, and put them in local hosts file. Of course, users shouldn't have admin access to edit the hosts file. Of course, they also shouldn't have admin access to install the ICQ software either..... It's a tough battle. ;)

1 REPLY
Silver

Re: Blocking out ICQ traffic on 2620 router

Your 2620 will be limited in helping you stop this traffic. You could write a custom NBAR module to look for that in HTTP headers, but that's assuming they actually have login.icq.com in the http headers. They might not. You'll have to check and see.

You really asking for content filtering. Surfcontrol is affordable and does this well and doesn't sit inline to the firewall/router.

An IDS sensor could do this for you also. You have a rish inspection engine that can find almost anything in a packet and RST, shun/block, etc

Blocking by IPs is a pain in the neck and ICQ will change/add them over time.

A effective, simple method that works 99% is simply creating a bogus icq.com domain on your internal DNS. Since your DNS server thinks its authoritative, it won't query the real servers. Therefore, ICQ clients won't be able to connect unless they point to outside DNS. If you only allow your internal DNS server the right to use outbound UDP/53, this requires clients to figure out its a DNS issue, get the names and IP needed, and put them in local hosts file. Of course, users shouldn't have admin access to edit the hosts file. Of course, they also shouldn't have admin access to install the ICQ software either..... It's a tough battle. ;)

296
Views
0
Helpful
1
Replies
CreatePlease login to create content