7

How can I block Spotify on our company network? Unfortunately it's killing our bandwidth and the effect is really serious.

Flyk
  • 119
  • 1
  • 2
  • 10
chrism2671
  • 2,549
  • 9
  • 34
  • 45
  • 2
    do you use a squid proxy ? - More info ! – Sirex Feb 10 '12 at 12:36
  • I'm not using a squid proxy but I am using a Draytek Vigor router capable of block IP ranges and a few other things. – chrism2671 Feb 10 '12 at 12:38
  • Get yourself an application aware firewall and tell it to block spotify. Sourcefire and Palo Alto both make devices that'll do the trick. – skarface Feb 02 '13 at 18:54

7 Answers7

24

You can fix this sort of thing via technology - basically firewall off the sources and/or ports - but I'm a big believer in not turning a HR problem into a game of cat'n'mouse with your users.

Simply speak to HR, explain the problem and ask them to make a policy regarding this issue and have them communicate it to your users. Then simply agree with HR to do periodic traffic analysis, letting them know of any users breaking this policy and have them deal with the them.

Basically trying to fix it yourself will just get you tied up in knots, and utterly hated too, which as we know is the job of HR already :)

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • Unfortunately this is not an option - we need to block it properly. – chrism2671 Feb 10 '12 at 12:40
  • 2
    Why is it not an option? Fire one person to make an example of them? – Tom O'Connor Feb 10 '12 at 12:54
  • 1
    Surely having HR set the policy is an option? I know you want to put barriers in place but this has to start as a management policy that you help to fix. Technically just do what MDMarra says above. – Chopper3 Feb 10 '12 at 12:54
  • 1
    This is not an option because we rent space to our customers in the office. They are the problem, not our staff. They complain about poor quality internet, we tell them not to use spotify and bit torrent, but it only takes one perpetrator to saturate the connection. A lot of people use our space, it is impossible to enforce it on all of them. *We need to fix it technically*. – chrism2671 Feb 10 '12 at 13:14
  • That is a very good point, thanks for that, well in that case do as MDMarra suggests. – Chopper3 Feb 10 '12 at 13:40
  • 10
    You still need to get some kind of acceptable use policy which everyone using YOUR connection must sign up to. You need these people to take responsibility for their actions, otherwise you may find that **you** are held responsible for their (potentially criminal) actions! The users are **already holding you responsible** for everyone else's actions! – dunxd Feb 10 '12 at 14:15
  • My personal opinion is that these kind of things need backing with policy and active enforcement of said policy. However, I personally think it's good practise to try to restrict undesireable activity, even if it's a simple block. Therefore if a user is caught, they have also had to circumvent your security procedure which should help eliminate any excuses and make it a watertight case for HR. – Robin Gill Feb 10 '12 at 15:40
  • 1
    Thanks for your post, but I really think this is an unconstructive answer. I've asked a question about networking, here is an answer related to people. Fortunately Spotify were kind enough to provide the correct answer to this question- it is now successfully blocked on our network. – chrism2671 Feb 11 '12 at 17:15
  • 2
    @chrism2671 If spotify answered your question, please add an answer detailing your instructions and accept it as the answer. That way any users coming across this question in search, can be directed to the correct solution. – Regan Nov 06 '13 at 12:57
5

You can install spotify yourself, sniff the traffic, and block outbound connections to their servers on your firewall.

Or

You can get a rate shaper that does packet inspection and shape the traffic for streaming audio to zero or close to it, then whitelist any legitimate audio streaming sites that you approve.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • The dorms at my old work did the second method. They did packet shaping, and operated a Squid proxy that was highest priority. It meant the bittorrenters didn't crowd out normal web-traffic. People had to manually use the proxy, but they almost all did because it was much faster than not using it. – sysadmin1138 Feb 11 '12 at 18:01
4

The IP range 78.31.8.0/22 also belongs to spotify.com so the complete list would be

78.31.8.0/22
193.182.8.0/21
193.235.232.0/24
tseeling
  • 41
  • 2
1

The router you mentioned is a perfectly capable router and can block IP addresses, but web filtering is a bit more advanced for most routers in that class.

Assuming that your staff is not made up of computer nerds who waste the day on Stack Exchange know what a DNS server does, I've had success with simply using OpenDNS to block Spotify and other social networking sites. It's a good solution, simple, very non-technical and free.

The downside is that you cannot filter anything finer than the domain name (so you can only filter all of spotify.com, but not filter spotify.com/customers while allowing spotify.com/users). The filters are all-or-nothing, there is no way to allow the bosses to surf for porn without blocking the other users (other than manually overriding their DNS server settings, which I've had to do for my clients using OpenDNS). And, by manually overriding the DNS server settings on the client computers, the OpenDNS filters are easily defeated.

For reference, you would create a (free) account with OpenDNS. Using their webfiltering dashboard (as pictured for one of my clients below), you can add spotify.com to the list of domains that are blacklisted. OpenDNS management screen
You can then reprogram the DHCP server built into your router to change the DNS settings from whatever your ISP had provided to the OpenDNS servers, in this case, 208.67.222.222 and 208.67.220.220. Anyone going to spotify.com in the future would be met with an error screen handed out by OpenDNS.

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
Simon Hova
  • 248
  • 1
  • 4
1

If you have a company internal DNS server and block all external DNS traffic via firewall, you can simply refer all relevant name resolutions for Spotify to an internal website of your choosing that can even inform the users about why it's blocked ...

Just create a zone for the domain name or domain names in your DNS and point them to the IP of the "blocker website".

I have proposed this to block Facebook apps when I was asked at my company and we successfully implemented it and it's usually cheaper and less resource intensive than deep packet inspection rules ...

0xC0000022L
  • 1,456
  • 2
  • 20
  • 41
1

I know this is an old question, but I was able to block spotify by blocking these two IP ranges in my firewall:

193.235.232.0/24
193.182.8.0/21

That blocked the mobile and desktop clients for us.

korylprince
  • 169
  • 1
  • 1
  • 9
0

Search IPs by Spotify on site bgp.he.net - http://bgp.he.net/search?search%5Bsearch%5D=spotify&commit=Search

pomaskin
  • 11
  • 2
  • Welcome to Server Fault! Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – slm Feb 09 '14 at 19:35