How to block QQ messenger by blocking IPs
 

I'm trying to block a messenger called qq or qq international, it's a chinese messenger. I'm using a very simple router that can only block by url, or IP. Since this messenger, having its default ports blocked, uses the http/https ports as a last resort, blocking its ports doesn't really do the job.

On the official website there wasn't any information about where does it connect (what server should I block), but after some googling around I found some IPs, and that it connects to servers sz.tencent.com, and sz[2-9].tencent.com.

Everytime I blocked one IP from one of those servers, it ended up changing again the next time I tried it (using ping to test whether it was blocked or not). So I just blocked the whole range of IPs from those providers, they are chinese providers and nobody uses them so there is no problem in that.

I blocked the IPs by doing a whois on the IP returned after pinging the above written URLs, and blocking the range returned. E.g.
So I would block the IPs of the range from 219.128.0.0 to 219.137.255.255.
Done that on the sz.tencent.com and all the sz[2-9].tencent.com servers, ping returns 100% packet loss on all the servers. So at least I'm sure all those servers are blocked.

Shouldn't this work? Because for some reason QQ messenger still connects...
If anyone knows this messenger and has some information on how to block it, it would be greatly appreciated.

Try netstat you can see exactly were QQ is sending these packets, then add those ip's to the blacklist and boom no more QQ.

qq is not running on my computer...
 

Thanks for the advice. But QQ is not running from my computer, just from another computer on the same LAN. And all the computers in the LAN are connected to a "cheap" router.
netstat only shows the ports open on the computer it is running in, right? And my router doesn't have any netstat-like tool, that's why I had to google around looking for those IPs.
Yeah, if anyone has done as above ---blocked the IPs got with netstat---, I'd really like to get them... Other advices are welcome as well.

Netstat give you something better (the domain name), all you need to do is blacklist that domain name (if your router supports it)

even with netstat...
 

Ok, I got a computer with windows. Installed qq just so I could use netstat there and find out what IPs to block.
In the windows computer, I did
and logged in with qq.
I looked for the PID of QQ (1620), and there were some lines like this:
I obviously thought the url, reverse.gdsz.cncnet.net, had something to do with the process of logging in. So I blocked the address in my router.

I logged out, and logged in again. And it had no problems connecting...
I tried blocking the UDP and TCP ports from 1000 to 1100, as well as the UDP ports from 4000 to 4100. And every time I try to log in again, another port gets used like UDP 4005 (previous session) to 4006 (after logging out previous session, current session). I thought blocking the UDP ports 4000-4100 would solve this, but apparently it didn't.
Somehow, QQ is still able to log in.


If I block the http port in my router, it gets blocked. And I tried pinging to the url above, and it said unknown host. So I guess the router does correctly blocks urls and the ports I tell it to. I really have no idea what to do next...
I thought there might be another program for the function of logging in, but I don't seem to find it, so I guess not.
Maybe my usage of netstat is wrong and it's not showing me the information I need or something? I really can't believe after blocking its ports and everything it still gets connected.

Any help would be greatly appreciated.

There seem to also be some tcpconn[,2-9].tencent.com domains as well.
sorry for all the blank spaces. They occurred while cutting & pasting somehow.

Do they use a tun server service that you haven't blocked.
Installing the program yourself and monitoring your own traffic may provide more clues.

You could add IP address to block on your computers own firewall, and retry connections.
You could use netstat in the continuous mode to record traffic continuously.

Downloading an OS QQ plugin shows these domains:

strings * | egrep '(udp|tcp)'
%s(): nick=%s, udp=%s
tcp://tcpconn4.tencent.com:8000
tcp://tcpconn3.tencent.com:8000
tcp://tcpconn2.tencent.com:8000
tcp://tcpconn.tencent.com:8000
udp://202.104.129.254:8080
udp://64.144.238.155:8080
udp://202.96.170.64:8080
udp://sz7.tencent.com:8000
udp://sz6.tencent.com:8000
udp://sz5.tencent.com:8000
udp://sz4.tencent.com:8000
udp://sz3.tencent.com:8000
udp://sz2.tencent.com:8000
udp://sz.tencent.com:8000
[CClientConnection] setServer(udp=%d, host=%s, port=%d)

already blocked><
 

Thanks for the IPs. But as I already posted above, I already blocked all the IPs whithin the range 219.128.0.0 - 219.137.255.255, which includes all the IPs listed there. I already made sure it can't connect anywhere, anyhow to a sz.tencent.com server...

reverse.gdsz.cncnet.net
 

It's connecting to reverse.gdsz.cncnet.net through the http port, and when the URL is blocked in the router it shouldn't connect. However I found out by restarting qq a couple of times, that it keeps connecting there somehow.

I did a whois on gdsz.cncnet.net (reverse.gdsz.cncnet.net wouldn't return anything) on this site http://www.robtex.com/dns/gdsz.cncnet.net.html and got these IPs: 221.4.64.0/19 221.4.8.0/22 221.4.64.0/19, blocked them too. But still get the ESTABLISHED state on netstat when I restart the program... maybe this is likely to be the problem?
Anyone has any idea of how it keeps connecting there? / What may I be doing wrong?

I hadn't read every IP in my list (out of laziness) because there were so many.
I did update my post with more IPs. Some of the tcpconnect*. domains may have different numbers.

monitoring with netstat
 

Thank you very much for the IPs! Do you have QQ blocked in your computer/router?

I had already some of them blocked, but there were a lot of them which I hadn't.

Blocking these IPs: 119.144.0.0/14, 121.14.0.0/17, 208.69.36.0/24, 219.133.48.0/18, 58.248.0.0/13, 58.56.0.0/13 should have the same effect that blocking all the IPs you gave me (I block some more, but just for the simplicity).

Also from your log
I'm trying blocking 202.104.128.0/17 and 64.144.0.0/16 just for the test.

It still connects...

This is the log I got from netstat. I added some comments.
Any ideas?

Blocking IP addresses isn't, this is your main problem: you're trying to turn the router into something it isn't, namely a versatile, configurable firewall.


So how about using a GNU/Linux, .*BSD or whatever else *way* more configurable machine as router instead? That way you could more easily define a policy blocking traffic using iptables rules plus an IDS for catching traffic that doesn't "play nice" like the QQ IM. There are multiple firewall distributions to choose from in case you do not want to build it from the ground up.

Thanks for the advice.
Yes, I realize using a linux machine as a router would be a lot easier for this task. The thing is, I already have a router. And blocking a messenger isn't supposed to be such a hard task (so I thought^^, kinda wrong).
In order to use my linux machine as a router too, I'd have to buy another lan card. Besides the fact that it would cost me money, I'd prefer not to use my main computer as a router, not only for security reasons, but simply because it's very loud, and have to shut it down at night, which is not the idea.

Well, if it really can't be done, I'd like to know so. But it sounds pretty logical to me that blocking where it connects, a messenger should be correctly blocked.

The problem with IP blacklisting your way is that it is maintenance-intensive and it will always be incomplete unless you know its methods for "phoning home". While I prefer the GNU/Linux side of things for reasons of stability, performance, versatility and security reasons I understand perfectly well that money can be an issue. While incursions into mcrsft territory are not my thing, if you have physical access to said mcrsft machine or if you can push policies its way you could resort to installing a SW firewall locally, perferably one with lockable admin settings, that denies outbound connections based on executable specs.