Difference between revisions of "How to Detect and Block UltraSurf program traffic"

From MikroTik Wiki
Jump to: navigation, search
m (UltraSurf)
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
hi  
 
hi  
 +
 
you know after my successful experiment to block Hotspot Shield , we have tried other different types of programs to bypass network policy and one of the most fastest program is UltraSurf  
 
you know after my successful experiment to block Hotspot Shield , we have tried other different types of programs to bypass network policy and one of the most fastest program is UltraSurf  
[www.ultrareach.com]
+
[http://www.ultrareach.com]
 
you know it is more faster than Hotspot Shield  and it does not need to be installed and  you can download it in EXE file , you just need double click on it and run it  
 
you know it is more faster than Hotspot Shield  and it does not need to be installed and  you can download it in EXE file , you just need double click on it and run it  
 
but it is more sophisticated in the way it operate and the way it get  their proxy server ip addresses  
 
but it is more sophisticated in the way it operate and the way it get  their proxy server ip addresses  
  
""Ultrasurf sets up a local proxy on the user’s computer, and then configures Internet  
+
Ultrasurf sets up a local proxy on the user’s computer, and then configures Internet  
 
Explorer’s proxy settings to run all Internet requests through that local proxy.  It works  
 
Explorer’s proxy settings to run all Internet requests through that local proxy.  It works  
 
automatically with Internet Explorer; however, the user can also use Firefox or any other  
 
automatically with Internet Explorer; however, the user can also use Firefox or any other  
Line 23: Line 24:
  
 
UltraSurf can discover its proxy servers by the following ways  
 
UltraSurf can discover its proxy servers by the following ways  
 +
 
1-A cache file of proxy server IPs stored in the user’s local temp directory from a previous execution
 
1-A cache file of proxy server IPs stored in the user’s local temp directory from a previous execution
 +
 
2-DNS requests to external DNS servers, which return encoded IPs of proxy servers.
 
2-DNS requests to external DNS servers, which return encoded IPs of proxy servers.
 +
 
3-A document on Google Docs containing a rapidly updated, signed and encrypted list of active proxy servers
 
3-A document on Google Docs containing a rapidly updated, signed and encrypted list of active proxy servers
 +
 
4- static list of proxy server IPs built into the program
 
4- static list of proxy server IPs built into the program
5-Once Ultrasurf discovers a proxy server in its network, it can retrieve IP addresses of other proxy servers directly from that server """ copied
+
 
 +
5-Once Ultrasurf discovers a proxy server in its network, it can retrieve IP addresses of other proxy servers   directly from that server  
 +
 
 +
i read about this from this file [http://www.2shared.com/document/RAjHHiei/Ultrasurf-GUID78cf6064c4d04aff.html]
 +
 
  
  
Line 33: Line 42:
 
to see which server they are connecting to on port 443
 
to see which server they are connecting to on port 443
 
i found three major servers with the following range  
 
i found three major servers with the following range  
204.107.140.0/24 , 65.49.0.0/17, 72.0.0.0/8
+
204.107.140.0/24 , 65.49.0.0/17
 
so i made an address-list and added these address to them  
 
so i made an address-list and added these address to them  
  
Line 40: Line 49:
 
   ip firewall address-list
 
   ip firewall address-list
 
   add address=65.49.0.0/17 comment="" disabled=no list=UltraSurfServers
 
   add address=65.49.0.0/17 comment="" disabled=no list=UltraSurfServers
  add address=72.0.0.0/8 comment="" disabled=no list=UltraSurfServers
 
 
   add address=204.107.140.0/24 comment="" disabled=no list=UltraSurfServers
 
   add address=204.107.140.0/24 comment="" disabled=no list=UltraSurfServers
  
 
then using these address list we can match on users who are trying to connecting to these proxy servers on 443
 
then using these address list we can match on users who are trying to connecting to these proxy servers on 443
and so we can catch all the traffic that is coming from UltraSurfUsers and add its destinations to an address-list named with UltraSurfProxies
+
and so we can catch all the traffic that is coming from UltraSurfUsers to these destinations on port 443
 +
 
 +
  ip firewall mangle
 +
  add action=add-src-to-address-list address-list=UltraSurfUsers \
 +
  address-list-timeout=5m chain=prerouting comment=UltraSurfUsers disabled=\
 +
  no dst-address-list=UltraSurfServers dst-port=443 protocol=tcp
 +
 
 +
 
 +
 
 +
 
 +
Firewall Filter rules
 +
 
 +
after discovering who is using ultrasurf on your network , now you can  block any traffic from those UltraSurfUsers  destined to 443
  
Mangle Rules
+
  ip firewall filter
 +
  add action=drop chain=forward comment="Block UltraSurf" disabled=no dst-port=\
 +
  443 protocol=tcp src-address-list=UltraSurfUsers
  
  ip firewall mangle
+
notice that all these last rules are only applied to Mikrotik ROS 3.30
  add action=add-src-to-address-list address-list=UltraSurfUsers \address-list-timeout=1h chain=prerouting comment=UltraSurfUsers disabled=\no dst-address-list=UltraSurfServers  dst-port=443 in-interface=LAN \protocol=tcp
 
  add action=add-dst-to-address-list address-list=UltraSurfProxies \address-list-timeout=1h chain=prerouting comment=UltraSurfProxies \disabled=no      in-interface=LAN src-address- list=UltraSurfUsers
 

Latest revision as of 09:36, 4 May 2012

hi

you know after my successful experiment to block Hotspot Shield , we have tried other different types of programs to bypass network policy and one of the most fastest program is UltraSurf [1] you know it is more faster than Hotspot Shield and it does not need to be installed and you can download it in EXE file , you just need double click on it and run it but it is more sophisticated in the way it operate and the way it get their proxy server ip addresses

Ultrasurf sets up a local proxy on the user’s computer, and then configures Internet Explorer’s proxy settings to run all Internet requests through that local proxy. It works automatically with Internet Explorer; however, the user can also use Firefox or any other browser that supports a proxy configuration by manually changing the browser’s proxy settings. The default port is 9666

The user can then browse any Internet site normally using IE. All traffic funnels through the local Ultrasurf proxy. Since the traffic between Ultrasurf and IE is entirely on the localhost, it never goes to the network and can’t be blocked by a network device.

Ultrasurf then sets up an encrypted connection with a remote server in its network of proxy servers

The connection to the remote proxy server is made over port 443, which is the standard HTTPS port


UltraSurf can discover its proxy servers by the following ways

1-A cache file of proxy server IPs stored in the user’s local temp directory from a previous execution

2-DNS requests to external DNS servers, which return encoded IPs of proxy servers.

3-A document on Google Docs containing a rapidly updated, signed and encrypted list of active proxy servers

4- static list of proxy server IPs built into the program

5-Once Ultrasurf discovers a proxy server in its network, it can retrieve IP addresses of other proxy servers directly from that server

i read about this from this file [2]


by using the last link i tried to capture packet coming from UltraSurf using wireshark on port 443 to see which server they are connecting to on port 443 i found three major servers with the following range 204.107.140.0/24 , 65.49.0.0/17 so i made an address-list and added these address to them

firewall address-list rules

  ip firewall address-list
  add address=65.49.0.0/17 comment="" disabled=no list=UltraSurfServers
  add address=204.107.140.0/24 comment="" disabled=no list=UltraSurfServers

then using these address list we can match on users who are trying to connecting to these proxy servers on 443 and so we can catch all the traffic that is coming from UltraSurfUsers to these destinations on port 443

  ip firewall mangle
  add action=add-src-to-address-list address-list=UltraSurfUsers \
  address-list-timeout=5m chain=prerouting comment=UltraSurfUsers disabled=\
  no dst-address-list=UltraSurfServers dst-port=443 protocol=tcp



Firewall Filter rules

after discovering who is using ultrasurf on your network , now you can block any traffic from those UltraSurfUsers destined to 443

  ip firewall filter
  add action=drop chain=forward comment="Block UltraSurf" disabled=no dst-port=\
  443 protocol=tcp src-address-list=UltraSurfUsers

notice that all these last rules are only applied to Mikrotik ROS 3.30