PDA

View Full Version : How to Block Evony?



W
09-14-10, 01:28 AM
What are the best methods for blocking Evony, the large online multiplayer
game, with the company firewall? They appear to be on a Class C network
64.156.192.x, but I would like to know if other networks or IPs need to be
blocked as well.

--
W

W
09-16-10, 08:47 PM
"W" <persistentone@spamarrest.com> wrote in message
news:gJudnYPzmORjiBLRnZ2dnUVZ5gKdnZ2d@giganews.com...
> What are the best methods for blocking Evony, the large online multiplayer
> game, with the company firewall? They appear to be on a Class C network
> 64.156.192.x, but I would like to know if other networks or IPs need to be
> blocked as well.

A more general question: if you want to see all IP networks owned by a
given company, how do you do that?

--
W

Web Dreamer
09-17-10, 03:06 AM
W a écrit ce vendredi 17 septembre 2010 03:47 dans
<FbCdnbPdNaYAVQ_RnZ2dnUVZ5oidnZ2d@giganews.com> :

> "W" <persistentone@spamarrest.com> wrote in message
> news:gJudnYPzmORjiBLRnZ2dnUVZ5gKdnZ2d@giganews.com...
>> What are the best methods for blocking Evony, the large online
>> multiplayer
>> game, with the company firewall? They appear to be on a Class C
>> network 64.156.192.x, but I would like to know if other networks or IPs
>> need to be blocked as well.
>
> A more general question: if you want to see all IP networks owned by a
> given company, how do you do that?

On *nix machines (Linux, Mac, BSD, etc...) these commands will do *exactly*
what you ask for:

host evony.com
<all IPs will be listed>
Or:
dig ANY evony.com
<A records, MX records, etc... will be listed>

These commands may return a hostname.domainname of something else instead of
an IP, so redo the same command for the new hostname.domainname, etc...
You'll see that you won'y be able to block everything from evony (their
emails) without blocking some google mail servers...

For details on these commands, read:
man host
man evony

On windows... don't know... Bad Luck...
You can have these commands on windows if you install cygwin.

--
Web Dreamer

Ansgar -59cobalt- Wiechers
09-17-10, 03:24 AM
Web Dreamer <webdreamer@nospam.fr> wrote:
> W a écrit ce vendredi 17 septembre 2010 03:47:
>> A more general question: if you want to see all IP networks owned by
>> a given company, how do you do that?
>
> On *nix machines (Linux, Mac, BSD, etc...) these commands will do
> *exactly* what you ask for:
>
> host evony.com
> <all IPs will be listed>
> Or:
> dig ANY evony.com
> <A records, MX records, etc... will be listed>

Umm... no, they won't. dig and host return what a company has configured
on their public DNS for that given domain. That does NOT equal a list of
all IP networks a company owns. For the latter you'd have to go through
the databases of all registries in the world. Which clearly is not
feasible.

> On windows... don't know... Bad Luck...
> You can have these commands on windows if you install cygwin.

Or, you could simply use the tools from the Windows version of BIND. Or
use the nslookup that ships with Windows. But anyway, as explained
above, that won't do what the OP was asking for.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Moe Trin
09-17-10, 02:36 PM
On Fri, 17 Sep 2010, in the Usenet newsgroup comp.security.firewalls, in article
<4c932182$0$23782$426a74cc@news.free.fr>, Web Dreamer wrote:

>"W" <persistentone@spamarrest.com> wrote

>> A more general question: if you want to see all IP networks owned
>> by a given company, how do you do that?

A "whois" query may provide some information, but generally "all" is
not available. For example, 'evony.com' seems to be hosted by a
service provider in San Diego named "M5 Computer Security" but they
don't list the range of addresses in use. Blocking 64.156.192.0/22
(which is M5-SECURITY-NETBLK-11) may work - at least temporarily.
It's far easier to sniff your network using something like 'wireshark'
and identify the players. Assuming your company has published a
network use policy, you can then take appropriate actions against
the players. Trivial really - but consult your company lawyer for
further details.

>On *nix machines (Linux, Mac, BSD, etc...) these commands will do
>*exactly* what you ask for:

>host evony.com
><all IPs will be listed>
>Or:
>dig ANY evony.com
><A records, MX records, etc... will be listed>

I can see you didn't bother to even try those commands, so you made a
rather large mistake. 'host -a evony.com' and 'dig ANY evony.com'
returns a single host address (64.156.194.11), two name server
addresses (64.156.194.11 and 64.156.194.14), and six mail server
addresses at google. Rather useless, don't you think?

>For details on these commands, read:
>man host
>man evony

Maybe you should be reading the man pages - and while you're at it,
also read the DNS-HOWTO if you can figure out how to find it

-rw-rw-r-- 1 gferg ldp 91563 Dec 23 2001 DNS-HOWTO

because DNS doesn't work the way you seem to think.

Old guy

David Bivens
12-01-10, 10:50 PM
"W" <persistentone@spamarrest.com> wrote:
>
> A more general question: if you want to see all IP networks owned by
> a
> given company, how do you do that?

Go to ARIN (or the appropriate registrar) and query their registration
database using that address to find the name of the company or the ISP.

The lowest-level (smallest, usually) allocation in this case is "M5
Computer Security", network M5-SECURITY-NETBLK-11 (or
NET-64-156-192-0-2). The parent ISP is CWIE, LLC. The domains of the
admins' email addresses are: m5hosting.com and m5computersecurity.com.

They are AS21581 and their assigned networks (and addresses) are:

M5SECNET (NET-71-6-225-0-1) 71.6.225.0 - 71.6.225.255
M5-SECURITY-NETBLK-1 (NET-209-216-230-0-1) 209.216.230.0 -
209.216.230.255
M5-SECURITY-NETBLK-2 (NET-206-251-255-0-1) 206.251.255.0 -
206.251.255.255
M5-SECURITY-NETBLK-11 (NET-64-156-192-0-2) 64.156.192.0 - 64.156.195.255
M5-SECURITY-NETBLK-3 (NET-207-158-15-0-1) 207.158.15.0 - 207.158.15.255
M5-SECURITY-NETBLK-4 (NET-206-71-179-0-1) 206.71.179.0 - 206.71.179.255
M5-SECURITY-NETBLK-10 (NET-207-158-37-0-1) 207.158.37.0 - 207.158.37.255
M5-SECURITY-NETBLK-5 (NET-206-71-169-0-1) 206.71.169.0 - 206.71.169.255
M5-SECURITY-NETBLK-7 (NET-206-251-244-0-1) 206.251.244.0 -
206.251.244.255
M5-SECURITY-NETBLK-6 (NET-206-71-190-0-1) 206.71.190.0 - 206.71.190.255
M5-SECURITY-NETBLK-8 (NET-207-158-30-0-1) 207.158.30.0 - 207.158.30.255
M5-SECURITY-NETBLK-9 (NET-207-158-52-0-1) 207.158.52.0 - 207.158.52.255

All this info was obtained using standard WHOIS queries against
whois.arin.net. WHOIS is your friend; I recommend anyone unfamiliar with
it learn how to use it. The ARIN WHOIS help page may be obtained by
executing:

whois -h whois.arin.net '?'

Unfortunately, best I can tell, M5 Hosting does not run an rwhois
(Referral WHOIS) server, nor do they appear--best I can tell--to SWIP
their address sub-allocations, so I cannot determine the Evony
addresses. Someone else may know how to get more granular address
information from M5; I do not--sorry.

There are other excellent sources of address assignment information,
including BGP (query through LookingGlass servers). Someone else may
know of better ones; if so, please post the info!

I hope this helps a bit!


--
David Bivens/VABC Information Security