Academic Freedom or Application Chaos? An Analysis of End-User Application Traffic on University Networks
November 2009
Palo Alto Networks 232 East Java Dr. Sunnyvale, CA 94089 Sales 866.207.0077 www.paloaltonetworks.com
Table of Contents
Key Findings...... 3 Introduction...... 4 Applications that Enable Circumvention are in Use ...... 5 External Proxies...... 5 Encrypted Tunnel Applications ...... 6 Remote Desktop Control Applications...... 7 P2P File Sharing Usage is Rampant ...... 8 Browser-based File Sharing Gains in Popularity ...... 9 Students are Adept at Being Entertained ...... 10 Applications are Designed for Accessibility ...... 11 Summary...... 11 Appendix 1: Methodology ...... 12 Appendix 2: Applications Found ...... 13
KEY FINDINGS
Over the past 18 months, Palo Alto Networks has performed Application Visibility and Risk assessments on 35 university networks. The analysis consisted of installing a Palo Alto Networks firewall on the university network, and then monitoring traffic for a given period of time. based on the traffic observed, an Application Visibility and Risk report is generated and provided to the university networking and security team (see Appendix 1 for more information on the methodology). A roll up of all 35 assessments shows that 589 unique applications were detected, consuming 64 terabytes of data. Some of the key findings are summarized below:
Students are using applications that enable security circumvention. • The high frequency with which external proxies, encrypted tunnel and remote access applications were found indicates students are taking extra steps to conceal their activity. This finding is somewhat contradictory to the assumption that university networks are “open”.
Peer-to-peer file sharing use continues to be a significant portion of university traffic. • Found in 34 of the 35 university networks (97%), P2P file sharing continues to be a significant portion of traffic. The 24 P2P variants found consumed 13.9 terabytes or 21.7% of total bandwidth, indicating that P2P is still a relatively serious issue on university networks. • Adding to the challenge of managing the RIAA requests for more P2P control, a new threat— Mariposa—is spreading rapidly across nine commonly used P2P networks.
Browser-based file sharing applications show significant usage. • An average of 11 browser-based file sharing application variants were found across 33 of the 35 university universities (94%). While not as common as P2P, these applications simplify the transfer of large files such as music or movies, possibly exposing universities unknown risks.
Students are adept at keeping themselves entertained. • There were 203 applications found that fall into gaming, social networking, media, file sharing and web browsing categories. Bandwidth consumed by these applications was more than 48 terabytes or 78% of total bandwidth consumed.
Application accessibility features make visibility and control difficult. • Of the 589 applications found, 356 (60%) of them can use port 80, port 443 or hop ports as a means of enabling user access. Unfortunately, accessibility features can introduce security risks because traditional port-based offerings cannot see or control these applications.
The data used to generate this report was collected by deploying a Palo Alto Networks next-generation firewall in the network, in either tap mode or virtual wire mode, where it monitors traffic traversing the Internet gateway. At the end of the data collection period, an Application Visibility and Risk Report is generated that presents the findings along with the associated risks, and a more accurate picture of how the network is being used. The data from each of the AVR Reports is then aggregated, analyzed and summarized herein.
INTRODUCTION
Today’s university students are more computer savvy than ever before, using a wide range of applications for socializing, entertainment and fostering their education. The breadth of applications, along with the premise that university networks are “open” puts the security team between a rock and a hard place. On one hand, they are asked to enable openness, while on the other, they are required to protect the network and the corresponding data.
In analyzing 35 university networks around the world, Palo Alto Networks found a wide range of applications that span the social, entertainment and educational spectrum – which was not all that surprising. Peer-to-peer file sharing continues to be used while browser-based file sharing applications are increasing in their use. And not surprisingly, applications that are more focused on entertainment than on education were used heavily.
What was not expected was the relatively high use of proxies, encrypted tunneling and remote desktop access applications. The use of these applications raises two questions – if the network is open, then why use applications that can mask user activities? This is the key question to be answered. Or are control efforts such that users re being driven to use these applications. Whichever the reason, the statistics show that students are using whatever application they want and security administrators are struggling to keep pace.
APPLICATIONS THAT ENABLE CIRCUMVENTION ARE IN USE
One of the more interesting sets of statistics uncovered during the analysis was how frequently the use of external proxies, encrypted tunnels and remote access applications were being used. This finding is somewhat contradictory to the assumption that university networks are “open”. The theory being that if the networks are open, then why would there be a need to use applications that can bypass security? Are the students being overly cautious? Or are the universities exerting stricter traffic controls? Regardless of the underlying reasons, the frequency1 that these applications were seen was quite surprising. EXTERNAL PROXIES
There are two types of proxies that can be used for the purposes of bypassing security controls. The first is a private proxy, which is a software application that is installed on a server and is used by a single user. In this case, the student will install the software on a machine at home, or somewhere outside of the university network. The student will then browse to the external proxy as an unmonitored means to browse the web.
The analysis discovered a total of 21 different proxies, including HTTP proxy which might be in use by the university. Excluding HTTP proxy from the discussion, external proxies were still detected in 100% of the universities with the highest number of proxy variants found being 12, and the average number found in each university being 4. The most commonly detected proxies are CGIProxy and PHProxy, detected in 63% and 60% of the universities respectively.
The second proxy variant is a public proxy or a proxy service. These are merely implementations of the aforementioned proxy software applications that are made available to the public. For example, a student that wants to browse the web anonymously can visit www.proxy.org and select from one of 7,700+ proxies that have been established by well-meaning Internet citizens. Users can also sign up for an email update that notifies them of the 10 or so new proxy sites made available on a daily basis.
In either of these two cases, the traffic looks like normal web browsing and most security policies allow this type of traffic to pass unfettered. The result is that students are bypassing any control efforts including threat inspection, exposing the university to unnecessary security risks.
Most Common Proxy Applications Found
cgiproxy 63%
phproxy 60%
coralcdn-user 46%
glype-proxy 31%
vtunnel 57%
socks 14% 11% freegate 11% http-tunnel 11% kproxy
psiphon 9%
00% 25% 50% 75%
Frequency that the application was found on university networks
Figure 1: The most commonly detected proxies found across the participating universities.
1 Note that the frequency is based on a given application appearing on the university network – the number of users is a factor in frequency.
ENCRYPTED TUNNEL APPLICATIONS
Whereas a proxy is used primarily to bypass web filtering controls, encrypted tunnel applications go one step further, enabling students to hide their activity within an encrypted tunnel. Two reasons for this come to mind. Either they are using it to bypass security controls and policies that are in place to control applications such as P2P or they are extremely concerned about their personal privacy.
There are two types of encrypted tunnel applications: those that are endorsed by the organization (IPSec, IKE, ESP, Secure Access) and those that are not endorsed (Hamachi, TOR, UltraSurf, Gpass). Excluding the university-supported applications like IPSec VPN, there were 10 encrypted tunnel applications found. Not surprisingly, SSL and SSH were found in 100% and 94% of the universities, respectively. However, the relatively high frequency that TOR, GPass and UltraSurf were found was a bit surprising and adds strength to both of the above arguments.
TOR (The Onion Router) is an interesting example of an encrypted tunnel that was developed by the U.S. Military as a means of secure communications over the early version of the Internet known as DARPA.NET. TOR is the recommended method of communications for whistle-blowers. The Electronic Frontier Foundation (EFF) also recommends it as a mechanism for maintaining civil liberties online. TOR is a client server application where the client is installed on the end-user’s machine and is used to connect to the intended site through a series of TOR nodes. The data in the message is distributed such that no one node holds the entire message. Privacy is further ensured by the use of proprietary encryption. The final message comes back together when it is received by the intended recipient.
Like TOR, Hamachi, and UltraSurf both require the installation of client software which connects to a network of servers on the Internet. From there, the traffic is routed to its destination. Whereas TOR, Hamachi, and UltraSurf are applications that have been developed as applications with the explicit purpose of bypassing security, SSH is commonly used by IT to establish a protected connection to another machine for purposes of remote management. Detected on 94% of the networks in this study, SSH is a commonly used IT tool and it is difficult to determine how it is being used in every university.
Most Common Encrypted Tunnel Applications Found
tor 43%
open-vpn 40%
37% gpass
26% ultrasurf
hotspot-shield 57%
gbridge 3%
hamachi 3%
tcp-over-dns 3%
00% 25% 50%
Frequency that the application was found on university networks
Figure 2: The most commonly detected encrypted tunnel applications found across the participating universities.
The use of encrypted tunnel applications represents another set of applications that can bypass control any and all security mechanisms, thereby exposing university networks to a wide range of security risks such as transfer of copyrighted materials and the possible introduction of a wide range of malware.
REMOTE DESKTOP CONTROL APPLICATIONS
Remote desktop control applications are similar to SSH in that they can be used by IT or support to help rectify PC or server problems remotely. Without question, these applications are invaluable tools, but they can also be used by students to login to a remote machine and mask their network activity. A total of 21 variants were found, with an average of 6 per university.
Some of the applications such as pcAnywhere and GoToMyPC are commercially-supported, while others such as RDP and telnet are part of the common operating system IT toolset. The target users for tools such as RDP historically have been IT-oriented but the sophistication of end users has advanced to the point where this is no longer the case. RDP is a client/server application that uses port 3389 by default but is also capable of hopping from port to port. RDP is a standard feature in Windows XP Professional, enabling users to access their computers across the Internet from virtually any computer, Pocket PC, or smartphone. Once connected, Remote Desktop provides full mouse and keyboard control over the computer while displaying everything that's happening on the screen. With Remote Desktop, users can leave their computer at the office without losing access to files, applications, and e-mail.
With RDP, a student can easily configure their PC to connect to an external PC and from there can, run any application they desire – swap files, run a P2P application, listen to music, surf the web – all in a tunnel that can be encrypted with RC4, although it is known to be susceptible to man-in-the middle attacks.
Most Common Remote Desktop Control Applications Found
ms-rdp 86%
logmein 77%
telnet 74%
teamviewer 57%
vnc 57%
gotomypc 29%
crossloop 11%
pcanywhere 11%
radmin 11%
rsh 6%
00% 25% 50% 75% 100%
Frequency that the application was found on university networks
Figure 3: Most commonly detected remote desktop access applications found across the participating universities.
P2P FILE SHARING USAGE IS RAMPANT
It is not all that surprising that peer-to-peer (P2P) file sharing applications were found on the 34 of the 35 (97%) university networks. What was a bit surprising was the volume of P2P traffic that was found.
• 24 P2P variants were found in the sample • One university had 19 different P2P variants present • The average number of P2P variants found was 9 • The most commonly found P2P application is BitTorrent, appearing on 91% of the university networks • Collectively, P2P applications consumed 13.9 terabytes or 21.7% of the total bandwidth • BitTorrent was the most bandwidth intensive, chewing through 17.9% of the total bandwidth (11.4 terabytes)
P2P applications use a variety of techniques to pass through the firewall including port hopping and masquerading as HTTP. As security administrators developed ad hoc techniques to detect these applications, some P2P developers modified the application to use proprietary encryption as a means of bypassing the firewall, and signature based detection mechanisms. For example, uTorrent, the official BitTorrent client, uses proprietary encryption to evade detection. It is important to point out that peer-to-peer technology by itself is a very powerful tool, leveraging shared computing resources for efficiency. The negative reputation that P2P technology has received is due to the end result of the use of P2P file sharing applications, not the technology itself. The data that can be found on P2P networks is there because someone has put it there or, in the case of the inadvertent breaches, the application was not configured correctly.
Most Common P2P File Sharing Applications Found
bittorrent 91%
gnutella 74%
emule 71%
ares 69%
azureus 57%
imesh 57%
qq-download 46%
neonet 43%
00% 25% 50% 75% 100%
Frequency that the application was found on university networks
Figure 4: The most commonly detected P2P-based file sharing applications found across the participating universities.
In the event that the pressure being exerted by the RIAA to control P2P was not enough, universities now must worry about a serious threat being propagated via P2P: the Mariposa threat (also known as Butterfly, Delf, Autorun, and Pilleuz). Mariposa manifests itself as a botnet, arbitrarily downloading executable programs on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise.
The most common Mariposa delivery mechanism are P2P applications, including Ares, Bearshare, Direct Connect, eMule, iMesh, Kazaa, Gnutella, BitTorrent, (via LimeWire client), and Shareaza. In addition to spreading via P2P, Mariposa can also spread through IM messages with links to infect other hosts, and via USB drives. Based on the P2P statistics shown above, nearly every university is exposed to the Mariposa threat.
When we compared 2 US universities of equal size (roughly 13,000 students each), we were intrigued to find that one institution with open application usage policies had roughly 250 Mariposa infected clients (an infection rate of 2%). The other university has a more proactive approach to application usage on the network and actively uses the Palo Alto Networks devices to control P2P usage and has only seen a few clients infected due to the mobile nature of the student population. Essentially the Mariposa infection occurred when the students were outside the university network. The difference is in the control of the P2P applications. If you can control applications, you can control the threats that ride in over those connections. BROWSER-BASED FILE SHARING GAINS IN POPULARITY
While not as broadcast oriented nor as well known as P2P, browser-based file sharing applications were found on university networks nearly as often at 94%. Palo Alto Networks defines browser- based file sharing applications as those that provide file transfer (e.g., YouSendit!), provide file backup (e.g., BoxNet), and public domain publishing (e.g., DocStoc). This up and coming class of application represents another area of risk for universities in that they can move large files (like music or movies) across port 80 or port 443, looking like normal web traffic.
• 23 variants were found in 33 of the 35 universities • One university had 22 different variants present • The average number of browser-based file sharing applications found was 11 • The most commonly application is MegaUpload, appearing on 74% of the university networks • RapidShare was the most bandwidth intensive, consuming 1 terabyte or 1.6% of total bandwidth • Compared with P2P, browser-based file sharing consumed a small amount of bandwidth (1.7 terabytes (2.8%)
Most Common Browser-based File Sharing Applications Found
mediafire 74%
yousendit 66%
rapidshare 63%
esnips 60%
4shared 57%
sendspace 51%
depositfiles 51%
dropbox 40%
yourfilehost 37% 31% eatlime
00% 25% 50% 75%
Frequency that the application was found on university networks
Figure 5: The most commonly detected browser-based file sharing applications found across the participating universities.
Browser-based file sharing applications do not pose the same level of risk as P2P file sharing applications. The significant differences in usage (bandwidth and sessions) and the many-to-many distribution model indicate that P2P risks are higher. However, in a university environment, browser- based file sharing applications could easily be used to transfer copyrighted materials and sensitive data from research labs in universities. In addition, these applications provide a vector for the delivery of threats either directly from someone pulling down an infected file or indirectly through malware-infested advertising (a known delivery mechanism) as part of the application providers business model. STUDENTS ARE ADEPT AT BEING ENTERTAINED
As the cost of bandwidth continues to drop, universities are able to increase the size of their Internet connection to deploy more online offerings, and provide their students with an improved end-user experience. High-speed connectivity combined with increased amounts of content that may not be educational in nature means that university networks are saturated to the point where university and research applications may suffer. The analysis found that 203 applications were consuming more than 48 terabytes (78%) of total bandwidth. Most of these applications are not directly related to higher education.
• 22 Internet utility applications (browsing, tool bars, etc) 15.9 terabytes of data (25%) • 63 photo and streaming video applications were consuming 14.7 terabytes of data (23%) • 24 audio streaming applications were consuming 2.2 terabytes (3.5%) • 25 social networking applications were consuming 850 gigabytes(1.3%) • 22 gaming applications were consuming 357 gigabytes(1%) • 47 file sharing applications (P2P and browser-based) consumed 15.7 terabytes (25%)
Percentage of Bandwidth Consumed
25% 22%
22% 31%
File Sharing Entertainment
All Other Applications Internet Utilities
Figure 6: Breakdown of bandwidth consumption by entertainment, file sharing, internet utility and all other applications.
New applications that are not educational in nature seem to be made available weekly making the bandwidth management challenge for universities that much more significant. Blocking them is not really an option, given the open nature of the network. A viable alternative is identifying the largest bandwidth hogs based on the application and applying QoS to them so that research, education and business applications are not bandwidth deprived.
APPLICATIONS ARE DESIGNED FOR ACCESSIBILITY
For purposes of this discussion, applications that have been designed for accessibility are defined as those that have been developed to use port 80 and port 443, and hop from port to port or can use a combination thereof. In this analysis, 60% of the 589 applications found can use port 80, port 443, or hop from port to port. As a feature, accessibility is not necessarily a bad thing and in fact, some of the first applications to be developed to take advantage of the “allow port 80” firewall rules were the desktop antivirus applications and the software update services. The benefit of using port 80 is that it helps eliminate some of the IT effort required to deliver updates to desktops.
Category and Technology Breakdown of Applications that That Port Hop, Use Port 80 or Port 443
Collaboration (131)
Media (91)
Business-Systems (51)
General-Internet (50)
Networking (33)
050100150
Number of applications with accessibility features
Client-server (104) Browser-based (200) Network-protocol (7) Peer-to-peer (45)
Figure 7: Breakdown of applications, by category and underlying technology, that use port 80, port 443 or hop ports as a means of simplifying access.
Every application, particularly those that traverse the firewall, represent risks, but blindly blocking these applications is not an option because doing so may be stopping a legitimate use. For example, Microsoft SharePoint, Microsoft Groove and a host of software update services (Microsoft Update, Apple Update, Adobe Update) all fall into this category, and blocking them may block university use. On the other hand, applications such as BitTorrent, Pandora, and Yoics! also fall into this category and each of these applications introduces some level of risk.
From a university perspective, the discussion of applications with accessibility features highlights the fact that applications may not be what they seem to be. The heavy use of client-server and peer-to- peer technology shows that the traffic traversing the firewall may look like HTTP, but it is not web browsing, nor is it a browser-based application. The risk is that these applications are essentially invisible to port-based security solution which introduces a wide range of business and security risks. SUMMARY
University networks are commonly viewed as open environments that can foster education and research. The analysis shows that indeed, there is wide spread use of non-education applications, supporting the openness assumption. Even so, students are using applications that enable them to mask their activities or they are using applications that are built to use port 80—in both cases, these applications are invisible to port-based security solutions. In order to regain visibility into what students are doing, universities need to deploy solutions that provide visibility into the applications (not ports or protocols) on the network and then control them where appropriate.
APPENDIX 1: METHODOLOGY
The data in this report is generated via the Palo Alto Networks Application Visibility and Risk assessment process where a Palo Alto Networks next-generation firewall is deployed within the university network, in either tap mode or virtual wire mode, where it monitors traffic traversing the Internet gateway. At the end of the data collection period, up to seven days worth of data is extracted (with permission from the university) and used to generate an Application Visibility and Risk Report that presents the findings along with the associated business risks, and a more accurate picture of how the network is being used. The data from each of the AVR Reports is then aggregated and analyzed, resulting in The Application Usage and Risk Report.
Delivered as a purpose-built platform, Palo Alto Networks next-generation firewalls bring visibility and control over applications, users and content back to the IT department using three identification technologies: App-ID, Content-ID and User-ID.
• App-ID: Using as many as four different traffic classification mechanisms, App-IDTM accurately identifies exactly which applications are running on networks – irrespective of port, protocol, SSL encryption or evasive tactic employed. App-ID gives administrators increased visibility into the actual identity of the application, allowing them to deploy comprehensive application usage control policies for both inbound and outbound network traffic.
• Content-ID: A stream-based scanning engine that uses a uniform threat signature format detects and blocks a wide range of threats and limits unauthorized transfer of files and sensitive data (CC# and SSN), while a comprehensive URL database controls non-work related web surfing. The application visibility and control delivered by App-ID, combined with the comprehensive threat prevention enabled by Content-ID, means that IT departments can regain control over application and related threat traffic.
• User-ID: Seamless integration with Microsoft Active Directory links the IP address to specific user and group information, enabling IT organizations to monitor applications and content based on the employee information stored within Active Directory. User-ID allows administrators to leverage user and group data for application visibility, policy creation, logging and reporting.
• Purpose-Built Platform: Designed specifically to manage enterprise traffic flows using function- specific processing for networking, security, threat prevention and management, all of which are connected by a 10 Gbps data plane to eliminate potential bottlenecks. The physical separation of control and data plane ensures that management access is always available, irrespective of the traffic load.
To view details on more than 900 applications currently identified by Palo Alto Networks, including their characteristics and the underlying technology in use, please visit the Applipedia (encyclopedia of applications) at the following URL: http://ww2.paloaltonetworks.com/applipedia/
APPENDIX 2: APPLICATIONS FOUND
The complete list of the 589 unique applications found, ranked in terms of frequency are listed below. To view details on the entire list of 900+ applications, including their characteristics and the underlying technology in use, please check Palo Alto Networks encyclopedia of applications at http://ww2.paloaltonetworks.com/applipedia/
100% Frequency ssl ftp dns smtp flash web-browsing rss netbios-ns http-audio soap ntp http-proxy google-desktop icmp snmp atom gmail hotmail ssh ms-update msrpc netbios-dg msn webdav google-analytics google-safebrowsing google-toolbar msn-file-transfer youtube rtmp ldap http-video bittorrent stun gmail-chat ike google-calendar apple-update skype web-crawler sharepoint yahoo-webmessenger yahoo-im itunes google-docs rtmpt facebook yahoo-toolbar yahoo-mail meebo twitter stumbleupon photobucket rtsp ms-rdp myspace-video webshots skype-probe pop3 myspace facebook-chat dailymotion hulu reuters-data-service metacafe google-picasa imeem limelight facebook-mail linkedin adobe-update flexnet-installanywhere shoutcast mssql-mon aim-mail msn-voice adobe-connect silverlight msn-toolbar squirrelmail logmein flixster livejournal asf-streaming spark 75% Frequency kerberos orkut ipsec-esp-udp backweb mediafire imap gnutella slp google-earth megaupload veohtv telnet friendster flickr myspace-mail outlook-web emule yahoo-voice aim-express aim ustream dhcp blogger-blog-posting napster ares ms-ds-smb ebuddy msn-webmessenger blackboard zango friendfeed mobile-me pandora time yousendit ssdp google-lively salesforce syslog justin.tv ooyala meebome plaxo sip live365 bebo rapidshare irc jabber zimbra google-video mogulus cgiproxy webex hi5 logitech-webcam blog-posting teredo outblaze-mail 4shared esnips mssql-db netbios-ss snmp-trap rdt pogo phproxy trendmicro last.fm rtp docstoc azureus imesh boxnet google-talk myspace-im ipv6 worldofwarcraft norton-av-broadcast megavideo citrix hp-jetdirect stickam horde skydrive teamviewer ms-sms yum ms-groove xunlei mediawiki-editing vbulletin-posting ms-netlogon ppstream mail.com depositfiles sendspace mysql pando nintendo-wfc netvmg-traceroute office-live gadu-gadu dealio-toolbar citrix-jedi google-talk-gadget msn-video 50% Frequency deezer move-networks mail.ru qq-mail lotus-notes oracle second-life source-engine steam bugzilla babylon bbc-iplayer mms yahoo-file-transfer oovoo yahoo-webcam active-directory ichat-av twig ciscovpn tftp yandex-mail subspace portmapper upnp qq-download qq echo coralcdn-user imvu sightspeed jango roundcube vnc kazaa neonet sharepoint-admin tor nntp cups youku lwapp kaspersky grooveshark open-vpn tvu filestube kugoo manolito dropbox gotomeeting daytime netflow
icq blin xobni orb yahoo-douga radius secureserver-mail ms-exchange winamp-remote ipsec-esp yourfilehost generic-p2p gpass subversion userplane autobahn playstation-network lpd evernote qvod whois netease-mail diino soribada classmates livestation pptp gre instan-t-file-transfer xing carbonite xm-radio clearspace eatlime wolfenstein sharepoint-documents filemaker-pro yourminis sopcast glype-proxy iloveim dotmac rsync camfrog symantec-av-update poker-stars medium-im folding-at-home direct-connect libero-video tudou pplive ipp 2ch tagoo fastmail gotomypc secure-access drop.io soulseek open-webmail rpc xfire aim-file-transfer gamespy socialtv joost kontiki finger rping 25% Frequency seeqpod ultrasurf blackberry send-to-phone filedropper comcast-webmail messengerfx zoho-im pownce xbox-live rsvp jaspersoft tidaltv ebay-desktop uusee mozy streamaudio miro verizon-wsync netsuite wixi octoshape party-poker battlefield2 git foxy netspoke live-meeting discard peerguardian symantec-syst-center editgrid flumotion sophos-update vtunnel pim hyves babelgum gtalk-voice zoho-wiki pandora-tv h.323 cox-webmail hotspot-shield wins ruckus gtalk-file-transfer elluminate razor radiusim freeetv niconico-douga veetle cpq-wbem tvants l2tp websense qqlive msn-money-posting tikiwiki-editing yahoo-finance-posting h.245 foldershare live-mesh wiiconnect24 bebo-mail sharepoint-calendar webconnect apple-airport jira timbuktu ncp vmware imo zoho-writer kino pna zoho-sheet socks igp mixi sling nfs cooltalk tvtonic tuenti postgres groupwise innovative tacacs-plus gnunet doof bomberclone mediamax mount koolim lotus-sametime livelink scps acronis-snapdeploy rtcp ping freegate http-tunnel crossloop kproxy radmin hopopt rip pcanywhere tokbox h.225 wikispaces-editing sosbackup simplify cisco-nac zenbe rhapsody garena youseemore corba zoho-crm icq2go unassigned-ip-prot wlccp rpc-over-http webex-weboffice writeboard zoho-show bacnet cddb graboid-video circumventor meevee ospfigp lokalisten mcafee psiphon seesmic ventrilo wetpaint-editing tivoli-storage-manager iheartradio cvs drda yahoo-blog-posting optimum-webmail web-de-mail zoho-mail hushmail inforeach sap fs2you seven-email 100bao knight-online ypserv gmail-drive ms-win-dns ms-wins jxta dnp3 twitpic yuuguu ip-in-ip meebo-file-transfer mfe-nsp vmtp ibm-director lan rtmpe feidian meabox fotki bypassthat jap glide zelune rsh egp forticlient-update netop-remote-control cvsup ndmp gizmo backup-exec pbwiki-editing wikidot-editing qqmusic 2ch-posting filemaker-anouncement gds-db sybase dabbledb gmx-mail noteworthy t-online-mail zoho-db gbridge ipsec-ah tcp-over-dns usermin sugar-crm dropboks fluxiom hamachi flashget openft share-p2p fileswire war-rock concur computrace blokus fortiguard-webfilter imhaha laconica
esignal webqq meetro ms-ocs swapper rediffbol rediffbol-audio-video spark-im nimbuzz yugma argus bbn-rcc-mon dimdim cpnx emcon iplt cbt iso-ip nvp-ii private-enc ipv6-icmp reserved snp udplite pup xns-idp clarizen noteworthy-admin wccp thinkfree vakaka megaproxy ms-iis ghostsurf hopster pingfu surrogafier beinsync netviewer rlogin vnc-http yoics eigrp igmp xdmcp ibackup lifecam mgcp schmedley aim-audio aim-video asterisk-iax vsee google-finance-posting motleyfool-posting zwiki-editing sccp