View Single Post

Old 09-11-2006, 12:20 AM
psharkauburn Offline
Registered User
Join Date: Sep 2006
Posts: 12
Blocking sites and how to defeat the man

Before you can circumvent, you need to know what you're up against

While there are hundreds of software packages out there to help administrators block websites deemed "inappropriate", it usually boils down to only 3 generic techniques used behind the scenes.

* Security Zones - Back in the day, there was only 1 "real" browser for windows - Microsoft Internet Explorer (IE). Microsoft's idea for parental security and casual use was implementing security zones that could be defined with different permissions. Sites could be trusted (full access), in the internet zone (limited access), or restricted (no access). The restricted zone could be password protected allowing administrators to block specific sites, and as so long as the people using the computer weren't logged in as administrators this technique worked fine (especially when used against beginner - novice users). In today's world though, there are a multitude of alternative browsers out there, as well as tools available to disable or reset security zone settings making this the least hardened security measure. You can always tell when this is being used, as a message will appear saying this site has been restricted, or it will prompt you for a password.

* Windows HOSTS file - This is a windows system file that's been around ever since TCP/IP became accessible on Microsoft's platform. It all stems from the fact that people like to use words to remember websites like instead of numbers like while computers prefer numbers over words. To turn our friendly words into numbers, everytime you try to connect to an internet resource by name, your computer must first ask another computer what number the name translates into - the DNS server. This question asking from computer to computer (while pretty fast) takes both time, and bandwidth to perform. In efforts to be as efficient as possible, windows created the HOSTS file that allows you to predefine specific name->number assignments. When you attempt to browse to a site, the computer ALWAYS consults this file first as it could potentially eliminate an expensive question it would have to ask someone else. If you search your OS for the HOSTS file, you can view/edit it in a text editor and will see entries like: Localhost. This is a default entry that specifies any attempt to browse to a server "localhost" should be directed towards IP (which happens to be your computers default IP - the loopback adapter). If you add an entry: - then any attempt to goto will be directed back to your own IP address with a result of server not found (unless of course your computer is the myspace web server). You can usually tell when HOSTS file redirection is being used when attempts to browse a website *consistently* take you to a different site (or your company's/schools intranet portal). I say *consistently* because there is plenty of spyware out there now that redirects to advertising pages but they usually are not consistent in the redirection - they will cycle thru different sites.

* IPSEC/Firewall blocking - This is the most pervasive blocking usually performed by far. IPSEC filtering can be deployed via group policy to individual computers or can be deployed to the network's internet gateway for blocking at the networks perimeter. IPSEC rules are extremely customizable, and essentially allow any protocol (http, ftp, etc...), on any port (sender or receiver), on any IP address to be filtered. To block a specific site from being viewed, a generic policy only requires knowledge of the sites IP address - and a broad rule can be set: Block/Deny all traffic with destination addression XX.XX.XX.XX, or a specific rule can be set: Block/Deny HTTPtraffic with a destination port of 80 to a destination IP XX.XX.XX.XX. With rules like this set, any traffic matching those patterns will be completely blocked. While IPSEC operates at the operating system level, most routers have internal firewalls (or large organizations have standalone firewalls) allowing similar rules to be established at the network level. The easiest way to determine if this is being used is to simply "ping" the destination's IP address. If you cannot ping them, then the IP's are being filtered (or the server is down); if you can ping, but cannot browse to the site then it is a good indication that a narrow rule has been set restricting the protocol/port. IPSEC/Firewall filtering is very commonly used to block things like peer-2-peer protocols, filesharing, etc.. as it is the easiest way to block applications like Kazaa or eMule across the entire network.

While this list is by no means exhaustive, these are by far the most commonly used techniques to restrict internet access to specific destinations. They are the most common because all 3 techniques are "FREE" to network administrators and don't require any additional hardware or software - just knowledge of Active Directory, Windows OS, and Group Policy. Remember, the first step to successfully circumventing any security measure is knowing what you are up against. I hope someone finds this useful, and be on the lookout for additional blogs contains steps to actually circumvent these techniques, as well as guides to implementing these techniques over networks.

World of Warcraft withdrawl can be as devastating as the flu - seriously, it should be covered by insurance. -PShark

Last edited by The Tool : 09-11-2006 at 07:22 PM.
Reply With Quote