Difference between revisions of "How to Detect and Block UltraSurf program traffic"

From MikroTik Wiki
Jump to: navigation, search
m (UltraSurf)
m (UltraSurf)
Line 1: Line 1:
'''hi
 
  
you know after my successful experiment to block Hotspot Shield , we have tried other different types of programs to bypass network policy and one of the most fastest program is UltraSurf
 
[www.ultrareach.com]
 
you know it is more faster than Hotspot Shield  and it does not need to be installed and  you can download it in EXE file , you just need double click on it and run it
 
but it is more sophisticated in the way it operate and the way it get  their proxy server ip addresses
 
 
""Ultrasurf sets up a local proxy on the user’s computer, and then configures Internet
 
Explorer’s proxy settings to run all Internet requests through that local proxy.  It works
 
automatically with Internet Explorer; however, the user can also use Firefox or any other
 
browser that supports a proxy configuration by manually changing the browser’s proxy
 
settings.  The default port is 9666
 
 
The user can then browse any Internet site normally using IE.  All traffic funnels through
 
the local Ultrasurf proxy.  Since the traffic between Ultrasurf and IE is entirely on the
 
localhost, it never goes to the network and can’t be blocked by a network device.
 
 
Ultrasurf then sets up an encrypted connection with a remote server in its network of
 
proxy servers
 
 
The connection to the remote proxy server is made over port 443, which is the standard
 
HTTPS port
 
 
 
UltraSurf can discover its proxy servers by the following ways
 
 
  1-A cache file of proxy server IPs stored in the user’s local temp directory from a previous execution
 
  2-DNS requests to external DNS servers, which return encoded IPs of proxy servers.
 
  3-A document on Google Docs containing a rapidly updated, signed and encrypted list of active proxy servers
 
  4- static list of proxy server IPs built into the program
 
  5-Once Ultrasurf discovers a proxy server in its network, it can retrieve IP addresses of other proxy servers  directly from that server  """ copied
 
 
 
by using the last link i tried to capture packet coming from UltraSurf using wireshark on port 443
 
to see which server they are connecting to on port 443
 
i found three major servers with the following range
 
204.107.140.0/24 , 65.49.0.0/17, 72.0.0.0/8
 
so i made an address-list and added these address to them
 
 
firewall address-list rules
 
 
  ip firewall address-list
 
  add address=65.49.0.0/17 comment="" disabled=no list=UltraSurfServers
 
  add address=72.0.0.0/8 comment="" disabled=no list=UltraSurfServers
 
  add address=204.107.140.0/24 comment="" disabled=no list=UltraSurfServers
 
 
then using these address list we can match on users who are trying to connecting to these proxy servers on 443
 
and so we can catch all the traffic that is coming from UltraSurfUsers and add its destinations to an address-list named with UltraSurfProxies
 
 
Mangle Rules
 
 
  ip firewall mangle
 
  add action=add-src-to-address-list address-list=UltraSurfUsers \address-list-timeout=1h  chain=prerouting comment=UltraSurfUsers disabled=\no dst-address-list=UltraSurfServers  dst-port=443 in-interface=LAN \protocol=tcp
 
  add action=add-dst-to-address-list address-list=UltraSurfProxies \address-list-timeout=1h chain=prerouting comment=UltraSurfProxies \disabled=no  in-interface=LAN src-address- list=UltraSurfUsers
 
 
we made this destination nat to activate proxy to block some http destination  from being accessed and to allow browsing only http (no https) while blocking UltraSurf from working
 
 
NAT rules
 
 
ip firewall nat
 
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=\tcp to-ports=3128
 
 
Web proxy rules
 
 
    ip proxy
 
    set always-from-cache=no cache-administrator=ssh cache-hit-dscp=4 \
 
    cache-on-disk=yes enabled=yes max-cache-size=3145728KiB \
 
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
 
    parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
 
    no src-address=0.0.0.0
 
 
after that we have blocked any dns request to any external dns servers
 
we also have blocked any connection from UltraSurfUsers to UltraSurfProxies
 
we also have blocked any connection from UltraSurfUsers to UltraSurfServers
 
we have blocked any traffic from mikrotik server its self to    UltraSurfServers
 
we have blocked any traffic from  UltraSurfServers to our mikrotik server
 
 
Firewall Filter rules
 
 
  ip firewall filter
 
    add action=drop chain=input comment="" disabled=no dst-address=172.20.7.227 \
 
    in-interface=WAN protocol=tcp src-address-list=UltraSurfServers
 
    add action=drop chain=output comment="" disabled=no dst-address-list=\
 
    UltraSurfServers out-interface=WAN protocol=tcp src-address=172.20.7.227
 
    add action=drop chain=forward comment="" disabled=no dst-address=!192.168.1.1 \
 
    dst-port=53 protocol=udp
 
    add action=drop chain=forward comment="" disabled=no dst-address-list=\
 
    UltraSurfProxies in-interface=LAN protocol=tcp src-address-list=\
 
    UltraSurfUsers
 
    add action=drop chain=forward comment="" disabled=no dst-address-list=\
 
    UltraSurfServers in-interface=LAN protocol=tcp src-address-list=\
 
    UltraSurfUsers
 
 
note that 172.20.7.227 is our wan ip address
 
and 192.168.1.1 is our lan ip address
 
 
note that DNS server for all users in your network must be your mikrotik server ip address which is 192.168.1.1 here
 
and this can be done in DHCP SERVER
 
 
you have to Make your Mikrotik router(DNS Relay) as DNS server for your Customers in DHCP
 
 
    ip dhcp-server
 
    add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
 
    static disabled=no interface=LAN lease-time=3d name=dhcp1
 
    /ip dhcp-server config
 
    set store-leases-disk=5m
 
    /ip dhcp-server network
 
    add address=192.168.1.0/24 comment="" dns-server=192.168.1.1 gateway=\
 
    192.168.1.1
 
 
also it is recommended to use opendns server ip addresses in your mikrotik
 
 
  ip dns
 
  set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
 
  max-udp-packet-size=512 primary-dns=208.67.222.222 secondary-dns=\
 
  208.67.220.220
 
 
notice that all these last rules are only applied to Mikrotik ROS 3.30
 
'''
 

Revision as of 07:47, 10 July 2011