Page 1 of 1

[ASK] How to block Ultrasurf ???

Posted: Wed Dec 23, 2009 4:05 am
by vzouh
Please anyone help me how to block acces from ultrasurf ???
it's use https/443 and tons of IP's so it almost impossible to filter it's IP's
maybe someone can figure out this or maybe using layer7
thanks in advance :)

Re: [ASK] How to block Ultrasurf ???

Posted: Wed Dec 23, 2009 1:26 pm
by DannyZ
How about blocking 9666 port?

Re: [ASK] How to block Ultrasurf ???

Posted: Wed Dec 23, 2009 2:41 pm
by Chupaka
it's use https/443
:)

Re: [ASK] How to block Ultrasurf ???

Posted: Fri Dec 25, 2009 2:23 pm
by omidkosari
like IRAN government block all https and port 443 :twisted:

Re: [ASK] How to block Ultrasurf ???

Posted: Fri Mar 12, 2010 2:20 pm
by ananias1985
i have bloked 443 to all exept to my proxy. It worked.

Re: [ASK] How to block Ultrasurf ???

Posted: Mon Apr 26, 2010 1:14 pm
by awarmanf
It works perfectly on linux by using this iptables rule below:
iptables -I FORWARD -m tcp -p tcp --dport 443 -m string --to 256 --hex-string   '|16030100410100003d0301|' --algo bm -j DROP
It will block tcp packet sent from client to tcp port 443 and contain "Client Hello".

If ultrasurf uses different port other than 443, we can use this rule:
iptables -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string   '|16030100410100003d0301|' --algo bm -j DROP
It will block tcp packet sent from client with tcp-flags ACK,PSH set and contain "Client Hello".

Unfortunately I can not use mikrotik to block the ultrasurf with layer7.
I am using this layer7 but it will also match connection to port 443 login facebook.
/ip firewall layer7-protocol
add name=ultrasurf regexp="^\16\03\01\00\41\01\00\00\3D\03\01"
/ip firewall mangle
add chain=prerouting action=add-dst-to-address-list protocol=tcp address-list=ultrasurf \
  address-list-timeout=0s  layer7-protocol=ultrasurf in-interface=lan dst-port=443
Sincerely,

Arief Yudhawarman
http://awarmanf.wordpress.com