5

In light of mounting allegations that TeamViewer has been hacked, and that criminals are somehow gaining unauthorized access to TeamView-enabled workstations, we would like to block TeamViewer altogether.

How doe the TeamViewer session-establishment protocol work? What firewall rules or other measures can we use to prevent all workstations within our network from being controlled through TeamViewer?

We have a heterogeneous environment; controls would have to be done at the network level, and not through anything like a Group Policy.

200_success
  • 4,701
  • 1
  • 24
  • 42
  • 1
    [Related question](https://security.stackexchange.com/q/66081/27444) on [security.se] currently has no good answers. – 200_success Jun 02 '16 at 19:47
  • If I were you, I'd contact the support team of whatever kind of firewall you have there and ask them how to block Teamviewer. – Noor Khaldi Jun 02 '16 at 19:53
  • 2
    @NoorKhaldi Knowing Cisco, they would probably try to upsell me instead of giving me a firewall rule. – 200_success Jun 02 '16 at 19:56
  • Here's a few different approaches you can try: https://mediarealm.com.au/articles/2014/10/block-teamviewer-network/ – Anthony Eden Dec 02 '16 at 09:41

4 Answers4

9

First Step block DNS

TeamViewer client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TeamViewer client must be connected first to the TeamViewer server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.

Second Step block IP Address Range

The TeamViewer IP Address Range is 178.77.120.0/24, but you have to check again.

stambata
  • 1,598
  • 3
  • 13
  • 18
  • With a little bit of Googling, this answer sound just about right. – Noor Khaldi Jun 02 '16 at 20:01
  • 2
    The `A` record for `teamviewer.com` is 46.163.100.220. Is blocking 178.77.120.0/24 actually effective? – 200_success Jun 02 '16 at 20:06
  • No. In my opinion also you have to block DYNGATE.COM but if some of your network use external DNS servers this will not work. For this reasons my suggestion is to block and input traffic from IP range 178.77.120.0/24 – stambata Jun 02 '16 at 20:36
  • With [Windows 10 adding support for DNS over HTTPS](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-will-improve-user-privacy-with-DNS-over-HTTPS/ba-p/1014229), this is no longer sufficient as a solution. – 200_success Nov 19 '19 at 18:20
5

Just for completeness, TeamViewer uses three different ports in specific order.

  1. TCP/UDP port 5938 is the primary port TeamViewer prefers to use. This is also currently the only port used by Android, Windows Mobile and BlackBerry clients.
  2. If connection fails, TeamViewer tries TCP 443 next. This is actually the most problematic part, because blocking the default HTTPS port 443 will block all secure web sites. Tampering with the data would involve using fake root CA and decrypting the data, and without that it's really hard to detect whether it's TeamViewer traffic or just normal TLS encrypted HTTPS.
  3. Default HTTP port, TCP 80 is the third alternative. That would be easy to block e.g. by using a transparent proxy, but is totally unnecessary, because the 443 is used before this.

Therefore, blocking the connections on network level from any client (incl. BYOD) would involve:

  • Faking or blocking DNS queries for *.teamviewer.com. This should actually be the most efficient way, if you trust the TeamViewer GmbH's word (for the opposite purposes):

    The TeamViewer software makes connections to our master servers located around the world. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server.

  • Additionally, blocking TeamViewer's known IP address ranges, but as we can soon see, this may be problematic and hard to maintain:

    • 178.77.120.0/25; DE-HE-MASTER-EXT; TeamViewer GmbH
    • 159.8.209.208/28; NETBLK-SOFTLAYER-RIPE-CUST-SS30641-RIPE; TeamViewer GmbH
    • Some in 92.51.156.64/26; owned by Host Europe GmbH; risk for false positives...
    • etc.; also risk for false positives and need for removals in the future.
  • In addition, very paranoid administrators could utilize some Deep Packet Inspection.

If you don't trust TeamViewer GmbH, and as TeamViewer works on ports 443 and 80 with a standalone TeamViewerQS.exe, the Group Policy (e.g. Software Restriction Policies) would be a good addition that increases protection on Windows machines joined to an AD domain.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
1

When re-visiting our network blocks using this method, we found that Teamviwer was connecting to different subnets and DNS names than listed here. It now connects to router[1-16].teamviewer.com.

The only problem is that the hosts are all over the place as they have servers around the world at ANEXIA Internetdienstleistungs, and blocking the subnets would result in a lot of false positives. According to the whois, it appears that these are associated with dedicated servers, so we put in DNS-based IP blocks for those domains and it seems to be preventing TeamViewr from connecting again.

If you need to grab the IPs, the following script (based off the above script) does the trick:

for i in $(seq 1 16);
do
    a="router"$i".teamviewer.com"
    b=$(dig +short $a)
    echo "RESULT: $b"
    if [[ "$b" == "" ]]; then
        continue
    fi
    echo "$b" >> ip_to_block.txt
    echo "$a" >> domains_to_block.txt
done
0

Teamviewer app always connect to one of the servers like serverXXXXX.teamviewer.com via http\https.

Run bash script something like


for i in `seq 10000 99999`;
do
    a="server"$i".teamviewer.com"
    b=`dig +short $a`
    if [[ "$b" == "" ]]; then
        continue
    fi

    echo "$b" >> ip_to_block.txt
done

And block all of the IP in ip_to_block.txt afer script finishing. This is 100% block all Teamviewer clients.

Jenny D
  • 27,358
  • 21
  • 74
  • 110