Block Anydesk

RouterOS General
1

Hey everyone.
Is it possible to block anydesk?
how do i do it?

Thanks in advance.

2

Block its listening port…

3

L7 firewall block *.net.anydesk.com with regexp

4

L7 firewall blocking is not recommended anymore…!
Especially when what you want can be achieved by a simple TCP port block..!

5

I don’t think that a simple block will do it.

https://support.anydesk.com/FAQ

Which ports does AnyDesk use?
To connect to the AnyDesk network port 80, 443 or 6568 is used. For standard listening port direct line connection is 7070 (TCP).

You could block port 7070, but IIRC this is user configurable.
Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443.

I’ve used Anydesk using squid proxy (on networks without even a default gateway to the outside world) that did not allow port 7070 and it still worked perfectly fine.

I think both Anydesk and Teamviewer fallback to port 443 which is almost universally allowed in firewalls. And both can even use an http proxy to still receive incoming connections.

@danniell2 if you control the DNS that the clients use then you may have more luck by blocking *.anydesk.com from resolving. But still, the anydesk client may have hardcoded IPs that directly connect to to bootstrap itself.

I would personally start capturing traffic to see where it connects to and how it behaves every time I block something until I manage to block it completely.

6

Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443.

I never said blocking ports 80 or 443… in my previous post i said block the listening port which is not 80 or 443 either…
Am sure it can be blocked.. i ll try it when i find some time and i ll let you know if no solution has been found yet…

7

Blocking the listening port doesn’t block Anydesk. It just blocks the direct connection between the two clients.
When the listening port is blocked, it will connect via an outgoing connection to port 80 to an Anydesk relay server, essentially punching through your firewall (assuming that port outgoing TCP 80 is allowed).
I just tried it and the traffic was flowing through 217.182.196.53 (relay-b78965e4.net.anydesk.com).
I presume if port 80 is blocked, it will also try port 443 and even port 6568 as implied in the FAQ.

Also, I just checked and the listening port IS user configurable - so a simple TCP port block can be bypassed in matter of seconds.

In other words, blocking the listening port doesn’t block Anydesk, and blocking outgoing connections to port 80 & 443 is… unrealistic.

8

Hi everyone,

im here, cuz im was searching for this too, because unlike teamviewer this is a peer-to-peer connection, so the dest address will be the computers public ip what you want to reach.
Default listening port is 7070, i could achieve that i can log activity (not truly tested, but i saw my computers private ip in the logs, so i think its good).
I tried tls host blocking, not working. If someone finds out, how to block/audit, please share with us!

9

Here are some logs from a corporate proxy blocking anydesk.

1572105939.836      0 x.x.x.x TCP_DENIED/403 2045 CONNECT 144.76.103.6:80 - NONE/- text/html
1572105941.837      0 x.x.x.x TCP_DENIED/403 2059 CONNECT 144.76.103.6:443 - NONE/- text/html
1572105943.836      0 x.x.x.x TCP_DENIED/403 2049 CONNECT 144.76.103.6:6568 - NONE/- text/html

1572105926.513      0 x.x.x.x TCP_DENIED/403 2042 CONNECT 5.9.105.232:80 - NONE/- text/html
1572105928.529      0 x.x.x.x TCP_DENIED/403 2056 CONNECT 5.9.105.232:443 - NONE/- text/html
1572105930.529      0 x.x.x.x TCP_DENIED/403 2046 CONNECT 5.9.105.232:6568 - NONE/- text/html

It appears that even if *.anydesk.com is blocked, the Anydesk client will still try to connect to the Anydesk network via hardcoded IPs on port 80, then port 443, then port 6568.
Which makes it that much harder to block reliably.

10

Also you need to block dns request to other dns server. In my tests anydesk used 1.1.1.1, 8.8.8.8 and 9.9.9.9 beseide my local dns server. I had to block two ip addresses, 5.9.51.75 and 37.61.223.15. But i’m not sure if they are hardcoded or just cached.

11

Hi All,

is there anyone can block anydesk?
I have followed all step on this forum but it still failed. Due to anydesk use port 443, if I block the port, all user cannot access internet. And I cannot block by IP address because I always get different IP address.

Regards,
Tisna

12

Hi,

Maybe late to reply about this.

You can add this in Your firewall rules

chain=forward action=drop protocol=tcp dst-port=443 content=anydesk log=no log-prefix=“”

This will for sure block anydesk website to all clients and will leave all other 443 port related things but will not block anydesk client. I am also looking for a solution.

13

Hello.
I block anydesk by some steps:
(sorry for my english)

  1. add layer7 protocol entry with name=AnyDesk and simply text “anydesk.com” without any special chars
  2. add mangle(prerouting) rule with packet mark rule by filters:
    new-packet-mark=drop_udp
    dst-port=53 protocol=udp layer7protocol=AnyDesk
  3. if you know even one AnyDesk’s server, make ip address list for it with name for ex: name=ban_remote_anydesk
  4. add mangle(prerouting) rule with new packet mark rule by filters:
    new-packet-mark=drop_tcp
    dst-port=80,443,6568 protocol=tcp dst-address-list=ban_remote_anydesk

Finnaly, filter packets:
5. add filter (input) rule with drop action by filters:
protocol=udp dst-port=53 packet-mark=drop_udp
6. add filter (forward) rule with drop action by same filters:
protocol=udp dst-port=53 packet-mark=drop_udp
7. add filter (forward) rule with reject action by filters:
protocol=tcp packet-mark=drop_tcp

Also, need block dns requests to foreign dns servers, exept a group who can do it
8. add filter (forward) rule with drop action by filters(you must have address list for ex “allow_alternate_dns”):
protocol=udp dst-port=53 src-address-list=not allow_alternate_dns

That’s all. From this time, you can’t run AnyDesk.
But, if you need to stop already running instances, you must have full list of AnyDesk’s IPs.

So, If you need full list of AnyDesk’s servers, you can do it like me.

  1. Install “dedicated” Virtual PC with Windows 7(or other, but I like W7) onboard on virtual machine. Now, we are know some IP, leased by Virtual PC. For ex 192.168.88.200
  2. Make change to step 2 (mangle rule, above) to do dns request from 192.168.88.200. We dont need to block dns requests for Virtual PC.
  3. All request to tcp port 80 and 443 from 192.168.88.200 we must mark, save to address-list (for example TCP_80_443) and then drop in filter rule
  4. All request to tcp port 6568 and destination TCP_80_443 from 192.168.88.200 we must add to address-list “ban_remote_anydesk” (step 3 above)
  5. Run AnyDesk on it. Find IP-address where AnyDesk connected to. Add it to address list ban_remote_anydesk
    Wait some minutes, and our address-list will fulled by anydesk’s IPs.
    When list fulled, even running AnyDesk instances will disconnected. Including 192.168.88.200.

BTW. If you have rules for fasttrack or simply accepted forward rules for established/related connections on top of rules, you must disabled they for some time.
P.S. Sorry for my english one more time.
P.S.S. RouterOS 6.43.13

14

One simple solution :

  1. redirect to router the DNS querys on port 53 udp and tcp .
  2. block DOT port 453, 853 .
  3. add stаtic record with regexp - ^(.)(anydesk)(.)$ and address 127.0.0.1 .
  4. Try to block DOH dropping tcp 443 with dst.addr. list with known doh servers ip addresses .
15

Just logged in to say thanks for sharing your experience.
I was struggling for the last 2 days to find a way to block this crap.
Greetings!

16

That will only be a short term solution since new server arrives all the time.
Here is one list.
https://dnscrypt.info/public-servers/

17

Here’s what worked for me :

  1. redirect to router the DNS querys on port 53 udp and tcp .
  2. add stаtic record with regexp - ^(.)(anydesk)(.)$ and address 127.0.0.1 .

Problem solved. Did not see any traffic to hard-coded IPs. Tested with latest AnyDesk version.

18

Just add a DoH client on your PC and you bypass the DNS server completely.
Also adding static name would bypass a DNS server.

Your approach only work for user that accidental tries to reach a site. For any user who know some about network, this does not work.