Disclaimer: I'm NOT making a malware.
I wonder if it's possible to prevent any program on my local PC sending requests to some particular host on the internet. Is it possible on the level higher than the driver of the network-card.
As I see it, e.g. a browser opens a socket and sends some data through it. Can I access it somehow and do-something-with-it to block the sending of data?
Which way should I move if it's possible?
You can easily do this from the command prompt with a bogus route rule. Below I show how to do this on Windows. You can also modify this solution to work on Linux/Unix as well.
From an CMD shell prompt running as admin
Step 1 - find the IP address of the host you want to block with nslookup
C:\>nslookup www.stackoverflow.com
Server: myrouter.home
Address: 192.168.1.1
Non-authoritative answer:
Name: stackoverflow.com
Address: 69.59.197.21
Aliases: www.stackoverflow.com
Here we see that www.stackoverflow.com has an IP address of 69.59.197.21
Step 2 - print the current routing table of you system with route print -4
. Look for the "0.0.0.0 destination" line and to identify the gateway address for the internet.
C:\>route print -4
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.10 266
192.168.1.10 255.255.255.255 On-link 192.168.1.10 266
192.168.1.255 255.255.255.255 On-link 192.168.1.10 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.10 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.10 266
===========================================================================
Now you can see that my gateway is 192.168.1.1 (IP address of my home router). And it's pretty obvious that my network subnet is 192.168.1.*. (You can also type ipconfig
to discover all the properties of the subnet if you don't already know it.)
Step 3 - insert a bogus routing rule for the IP address you want to block. The trick is to select an IP address on the same subnet that is NOT a gateway. In this case, 192.168.1.2 is a non-existent host on my subnet.
C:\> route add 69.59.197.21 MASK 255.255.255.255 192.168.1.2
OK!
You can now type route print -4
again to confirm the bogus route rule in the table. What this entry says is "whenever this host needs to send to 69.59.197.21, try to send it through 192.168.1.2". And that will force the host to send to a host that doesn't exist of is incapable of routing.
And that's all there is to it. As I type this, I actually am blocking my machine from ever reaching www.stackoverflow.com. Now to undo this, it's just a matter of typing:
C:\>route delete 69.59.197.21
OK!
The fine print:
Many sites will have more than 1 IP address. If NSLookup doesn't tell you all the IP addresses at once, then you may have to periodically call NSLookup every few minutes to see more of them. With some experimentation, you can use this technique to block entire networks.
This technique will likely not work if your browser is configured to use a proxy server.
Also, this technique is not likely to survive a reboot. You can likely write a script that gets inserted into the Windows Task Scheduler (or other appropriate auto-start mechanism for your OS) that does the work of adding the route when the OS starts or user logs in.