How to block TeamViewer?

Solution 1:

First Step block DNS

TeamViewer client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TeamViewer client must be connected first to the TeamViewer server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.

Second Step block IP Address Range

The TeamViewer IP Address Range is 178.77.120.0/24, but you have to check again.

Solution 2:

Just for completeness, TeamViewer uses three different ports in specific order.

  1. TCP/UDP port 5938 is the primary port TeamViewer prefers to use. This is also currently the only port used by Android, Windows Mobile and BlackBerry clients.
  2. If connection fails, TeamViewer tries TCP 443 next. This is actually the most problematic part, because blocking the default HTTPS port 443 will block all secure web sites. Tampering with the data would involve using fake root CA and decrypting the data, and without that it's really hard to detect whether it's TeamViewer traffic or just normal TLS encrypted HTTPS.
  3. Default HTTP port, TCP 80 is the third alternative. That would be easy to block e.g. by using a transparent proxy, but is totally unnecessary, because the 443 is used before this.

Therefore, blocking the connections on network level from any client (incl. BYOD) would involve:

  • Faking or blocking DNS queries for *.teamviewer.com. This should actually be the most efficient way, if you trust the TeamViewer GmbH's word (for the opposite purposes):

    The TeamViewer software makes connections to our master servers located around the world. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server.

  • Additionally, blocking TeamViewer's known IP address ranges, but as we can soon see, this may be problematic and hard to maintain:

    • 178.77.120.0/25; DE-HE-MASTER-EXT; TeamViewer GmbH
    • 159.8.209.208/28; NETBLK-SOFTLAYER-RIPE-CUST-SS30641-RIPE; TeamViewer GmbH
    • Some in 92.51.156.64/26; owned by Host Europe GmbH; risk for false positives...
    • etc.; also risk for false positives and need for removals in the future.
  • In addition, very paranoid administrators could utilize some Deep Packet Inspection.

If you don't trust TeamViewer GmbH, and as TeamViewer works on ports 443 and 80 with a standalone TeamViewerQS.exe, the Group Policy (e.g. Software Restriction Policies) would be a good addition that increases protection on Windows machines joined to an AD domain.