Block QQ Instant Messaging

Article Id: 168357
Status: Published
Updated On: 13-05-2017 11:38
Legacy Id: TECH244967
Products:
ProxySG Software - SGOS
Issue/Introduction:

There isn't a quick way to block all QQ chat messaging at one time. The QQ official web site (http://www.imqq.com), doesn't list the server IP address(es) information for where the QQ Chat communicates or connects. On examining packets which were captured on a connection to a QQ chat, Blue Coat noticed that it connects servers sz[1-9].tencent.com, qq.com, and then follows with dynamic IP addresses.

 

Cause:

The causes include the following:

  • The problem is that every time you block one IP address of those servers, the next time you connect, the IP address will have changed. Hence, it makes sense to block the entire range of IPs from those providers     
  • Blocking the entire range of IP addresses with the CPL we provide will potentially block other web sites within China, not just addresses belonging to QQ chat messenger. 
  • Sometimes QQ chat is able to connect successfully using the CPL, but some times it is blocked by the ProxySG appliance.

Resolution:

Follow these steps to resolve the issue.

  1. Install the following CPL via local policy:
<Proxy>
    DENY condition=qq_deny

define condition qq_deny
   url.address=112.90.0.0/16
   url.address=203.205.0.0/16
   url.address=123.151.0.0/16
   url.address=183.60.0.0/16
   url.address=112.95.0.0/16
   url.address=119.147.0.0/16
   url.address=111.161.0.0/16
   url.regex="tencent.com"
   url.regex="qq.com"
 end condition qq_deny
  1. As the range of IP addresses is huge, some might belong to QQ chat, and some might be belong to other web sites. Hence, in order to trace them correctly or shorten the whole range of IP addresses, you could run a policy trace to identify the exact IP address. Make sure you only run QQ chat instant messaging when you perform this. No other programs or applications should be running. Follow these steps to enable a policy trace for a single client machine.
  • Open VPM, select Policy, and create a new Web Access layer. This new Web Access layer will have just one rule in it.
  • On Source, right click and select Set > New. Select Client IP address/Subnet. This is the client machine that runs the QQ chat program
  • Enter the IP address of the client you are running the test from. There is no need to enter a subnet.
  • Select Add, and then close. On the Set Source Object window, select this Client IP, then OK.
  • Change the Action to None. Right click on Allow Action, and choose Delete.
  • Edit the Track tab. Right click on None under Track, and select Set > New > Trace.
  • Select the Trace Level selection and Verbose tracing. Select Trace File, and give it a name. Then click OK.
  • Install the policy
  1. View the result of policy trace once you had run the QQ chat.Go to the ProxySG appliance  management console at https:\\Proxy_IP\Policy. Click and view it with Windows Notepad.  From the policy trace results you can check to see which IP address is denied.

Please note that to keep blocking the QQ chat is an ongoing tasks due to the nature of the application design and works