nathan.harris@yhfsc.org.uk wrote:
> Hi there,
>
> Here's an interesting one for you guys, I work P/T at a Local Authority
> ISP service based upon open source code.
>
> The kids Have recently realised that is you take
>
> www.playboy.com
>
> convert it to it's IP 216.163.137.3
>
> covert it to Binary
>
> 11011000 10100011 10001001 00000011
>
> then back into base 10 decimal
>
> 3634596099 now you enter this into your browser http://3634596099
>
> at first I was unsure if this was an april fools
>
> but sure enough it works and bypasses the filtering completly. Not many
> sites work but I did find one or two more.
>
> Both url blocking in squidguard & IP filtering does not effect base 10
>
> Has anyone any idea how we can get squid to ignore Base 10 & Hex web
> requests? kids will be bypassing filtering platforms up and down the UK
> (or more probably have been for some time)
>
> credit to them, clever little blighters
>
Well, you could make your dstdomain ACL which is based solely on the
textual domain given. (You are using dstdomain I hope and not regex)
And turning it into 'dst', which performs an IP lookup and compares
that. It is very effective against static sites like playboy, but much
less useful against frequently moving sites like anonymous proxies.
The alternative but time-expensive approach is to add a regex that
validates .com.net etc exists in the domain:
acl isDomain dst_regex -i "\.[a-z]{2,}$"
http_access deny !isDomain
This needs to be carefully placed after the blocking ACL and before the
first major allow (students likely to use this, teachers not so much).
Amos
Received on Tue Dec 11 2007 - 03:16:23 MST
This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST