Skip to content

Blocking Apps

Introduction

About this Document

This document provides instructions for system administrators on how to block certain apps and services. While we will use TikTok as an example, the instructions provided in this document can also be used to block other applications and services.

Dangerous Apps

Certain apps can be considered dangerous for various reasons, depending on how they handle user data or content. In the case of TikTok, concerns have been raised about its data privacy practices, as well as its content moderation policies.

TikTok collects a significant amount of data from its users, including location data, device information, and browsing history, which can be used for targeted advertising or other purposes. There have also been concerns about potential censorship or bias in its content moderation practices, as well as its handling of user-generated content that may be inappropriate or harmful.

Furthermore, TikTok's ownership and connection to the Chinese government have raised concerns about potential data sharing or surveillance, which has led to some countries banning or restricting its use in certain contexts.

Overall, it's important for users to be aware of the risks associated with any app they use and to make informed decisions about their privacy and security.

Disclaimer

Please note that blocking TikTok or other apps on a specific device or network only applies to that device or network. Additionally, it's important to keep in mind that there are ways to bypass the block, such as using a VPN.

Pitfalls of IP Address Blocking

Apps and services like TikTok use a large number of IP addresses that can change frequently without prior notice, so it may be challenging to maintain an accurate and up-to-date list of all IP addresses. It is important to note that the IP addresses obtained through the WHOIS database may not represent a complete list, and should not be relied upon as the sole source of information.

Furthermore, blocking TikTok's IP address range might also block access to other legitimate services that share the same IP addresses or subnets. Therefore, blocking IP address ranges is not the most effective solution in such scenarios.

Blocking Methods

You can block the application with advanced firewall rules or by adding an application filter to your proxy server ACL.

Firewall Configuration

  1. Log in to your AXS Guard appliance.
  2. Navigate to Firewall > Rules > Advanced.

  3. Add the following lines to the rules field:

    -v -t filter -I FORWARD -m string --string "tiktok" --algo kmp --icase -j REJECT
-v -t filter -I FORWARD -m string --string "musical.ly" --algo kmp --icase -j REJECT

    TTlist

  4. Save your configuration.

The iptables parameters shown above insert 2 new rules into the FORWARD chain that match packets containing the strings tiktok and musical.ly using the Knuth-Morris-Pratt algorithm.

When a packet matches one of these rules, it will not be forwarded to its destination. Please note that no logging will be performed in this case.

Firewall Test

Log in to a computer and execute the following curl commands:

  • curl -I https://www.tiktok.com
  • curl -I https://www.musical.ly

Both commands should result in an error:

curl: (35) error:0A000126:SSL routines::unexpected eof while reading

If users attempt to access TikTok with a browser, they will see a connection failure, as shown in the image below:

TTerror

Proxy Configuration

Info

This option is only available for AXS Guard appliances with an Essential or Plus content scanning license or appliances with a Premium Threat Protection Pack.

  1. Log in to your AXS Guard appliance.
  2. Go to Web Access > Filters > Lists.

  3. Create a new site list with the following wildcard expressions:

    *tiktok*
*musical.ly*

  4. Create a category and add the new site list to it.

  5. Add the new category as a blocked item to the desired ACL, e.g. predef-no-porn.
  6. Make sure that the ACL is assigned to the appropriate users, groups and computers. To enforce the ACL system-wide, navigate to Web Access > Proxy Server.

ACL

Proxy Test

Log in to a computer and execute the following curl command:

curl -I -x http://192.168.250.254:3128 https://www.tiktok.com -U axsguard_username:axsguard_password | grep -wo blocked

The command should show the request as blocked:

curl: (56) CONNECT tunnel failed, response 302
blocked

If users attempt to access TikTok with a browser, their request will be blocked, as shown in the image below:

TTblock