How to block TeamViewer?

First Step block DNS

TeamViewer client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TeamViewer client must be connected first to the TeamViewer server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.

Second Step block IP Address Range

The TeamViewer IP Address Range is 178.77.120.0/24, but you have to check again.

Just for completeness, TeamViewer uses three different ports in specific order.

1. TCP/UDP port 5938 is the primary port TeamViewer prefers to use. This is also currently the only port used by Android, Windows Mobile and BlackBerry clients.
2. If connection fails, TeamViewer tries TCP 443 next. This is actually the most problematic part, because blocking the default HTTPS port 443 will block all secure web sites. Tampering with the data would involve using fake root CA and decrypting the data, and without that it's really hard to detect whether it's TeamViewer traffic or just normal TLS encrypted HTTPS.
3. Default HTTP port, TCP 80 is the third alternative. That would be easy to block e.g. by using a transparent proxy, but is totally unnecessary, because the 443 is used before this.

Therefore, blocking the connections on network level from any client (incl. BYOD) would involve:

• Faking or blocking DNS queries for *.teamviewer.com. This should actually be the most efficient way, if you trust the TeamViewer GmbH's word (for the opposite purposes):

  The TeamViewer software makes connections to our master servers located around the world. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server.

• Additionally, blocking TeamViewer's known IP address ranges, but as we can soon see, this may be problematic and hard to maintain:

  • 178.77.120.0/25; DE-HE-MASTER-EXT; TeamViewer GmbH
  • 159.8.209.208/28; NETBLK-SOFTLAYER-RIPE-CUST-SS30641-RIPE; TeamViewer GmbH
  • Some in 92.51.156.64/26; owned by Host Europe GmbH; risk for false positives...
  • etc.; also risk for false positives and need for removals in the future.
• In addition, very paranoid administrators could utilize some Deep Packet Inspection.

If you don't trust TeamViewer GmbH, and as TeamViewer works on ports 443 and 80 with a standalone TeamViewerQS.exe, the Group Policy (e.g. Software Restriction Policies) would be a good addition that increases protection on Windows machines joined to an AD domain.

When re-visiting our network blocks using this method, we found that Teamviwer was connecting to different subnets and DNS names than listed here. It now connects to router[1-16].teamviewer.com.

The only problem is that the hosts are all over the place as they have servers around the world at ANEXIA Internetdienstleistungs, and blocking the subnets would result in a lot of false positives. According to the whois, it appears that these are associated with dedicated servers, so we put in DNS-based IP blocks for those domains and it seems to be preventing TeamViewr from connecting again.

If you need to grab the IPs, the following script (based off the above script) does the trick:

for i in $(seq 1 16);
do
    a="router"$i".teamviewer.com"
    b=$(dig +short $a)
    echo "RESULT: $b"
    if [[ "$b" == "" ]]; then
        continue
    fi
    echo "$b" >> ip_to_block.txt
    echo "$a" >> domains_to_block.txt
done

Teamviewer app always connect to one of the servers like serverXXXXX.teamviewer.com via http\https.

Run bash script something like

for i in `seq 10000 99999`;
do
    a="server"$i".teamviewer.com"
    b=`dig +short $a`
    if [[ "$b" == "" ]]; then
        continue
    fi

    echo "$b" >> ip_to_block.txt
done

And block all of the IP in ip_to_block.txt afer script finishing. This is 100% block all Teamviewer clients.