FireWall-1 FAQ: Blocking AOL Instant Messenger
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
AIM will use any available port that is allowed through the firewall. The Auto Configure option on the AIM client will use just about anything, including DNS and HTTP. The only surefire way to lock out access to it is to block all access to the host login.oscar.aol.com. However, this DNS resolves to more than one IP and it changes. You should verify this with an nslookup. You need to block all traffic to these IPs. You should also disable the rulebase properties for DNS as, sure enough, it will use these ports.
Here are a few IPs that are known to belong to login.oscar.aol.com:
- AOLim_1 = 152.163.214.75
- AOLim_2 = 152.163.214.76
- AOLim_3 = 152.163.214.108
- AOLim_4 = 152.163.214.109
- AOLim_5 = 205.188.1.56
- AOLim_6 = 205.188.4.106
- AOLim_7 = 205.188.147.114
- AOLim_8 = 152.163.241.121
- AOLim_9 = 152.163.241.129
- AOLim_10 = 152.163.242.28
- AOLim_11 = 152.163.242.24
- AOLim_12 = 152.163.241.120
- AOLim_13 = 152.163.241.128
- AOLim_14 = 152.163.241.96
- AOLim_15 = 64.12.161.153
- AOLim_16 = 64.12.161.185
The Smart Defense HTTP worm catcher in NG FP3 is pretty useful at stopping illicit AOL and MS Instant Messenger on 80. Add these lines:
MS-IM gateway.dll? AIM :20480/
I picked these apparently unique strings out of http headers shown up by plonking an http resource on miscreants source addresses. As far as I can tell, the method works 100%.
