howto block hotspot shield

RouterOS General
1

I believe many admins are searching for this.
Howto effectively block the HOTSPOT SHIELD software.
I have tried the method described in this forum/wiki and other places. But non work :frowning:

Is there anybody who have successfully blocked this Evil application? :sunglasses: any complete ip address list which hotspot shield access to connect.?
any help?

2

I think the best way is to block these kind of sites by dns filtering. First you need to setup a transparent dns redirecting:

/ip firewall nat
add chain=dstnat action=redirect to-ports=53 protocol=udp dst-address-type=!local dst-port=53
add chain=dstnat action=redirect to-ports=53 protocol=tcp dst-address-type=!local dst-port=53

of course protect the router from outside dns requests

/ip firewall filter
add chain=input action=drop protocol=udp in-interface=WAN-interface dst-port=53
add chain=input action=drop protocol=tcp in-interface=WAN-interface dst-port=53

After that, you either create your own dns server with your filters, or you rely on services like opendns.com and set the dns of router accordingly.
This way all dns requests from LAN will be redirected to the router dns cache, which in return will request to the dns server of your choice which does filtering.

And a Happy New Year :slight_smile:

3

lolz, may be you have not used this evil application, it does not rely on DNS, it connected directly via IP and I have blocked hundreds of ip addresses its using, but still no joy, it chnages ip rapidly every time.
Thank you for your TIP any, opendns is great for category base filtering :slight_smile:

4

HOTSPOT SHIELD is a bit tricky to block. but with some filter rules to block its destination (which are in thousands and few ports) I managed to block (Its still in test phases but its blocking the hotspot shield 99% :sunglasses:
Read this.

https://aacable.wordpress.com/2014/12/31/blocking-hotspot-shield-in-mikrotik/
hss-error2.jpg
Note: It was observed that it is almost impossible to block it 100% but with filtering method, I got 99% success. Its impossible to block all the proxy tools/apps as there are thousands of them. but with some smart configuration you can only minimize the chances of there utilization. Make sure you use OPENDNS and if you have static public IP address, then create account and block all the proxy / anonymizer category. Make sure to forcefully redirects all the DNS traffic to your own dns server which should be using opendns or some filtering mechanism to block or POISON the BAD sites.

Also it was noted that I ahve used some large IP blocks like /8 or /16 (rather the just /24) because hotspot shield have thousands of IP addresses/blocks which it uses. So it is quite possible that some valid content also gets DROPPED/BLOCKED which falls in same subnet. More Tests would be required then by using any capturing tool or mikrotik own tool called TORCH.



https://aacable.wordpress.com/2014/12/31/blocking-hotspot-shield-in-mikrotik/

5

I just tried this and it is not working.

6

I’m not sure about hotspot shield, but as i’m aware of free gate, this software uses lots of port so you’re not able to block it.
For example in our country, people use free gate so that they can bypass proxy and open blocked websites :smiley:. if I was able to block this software so government could block it too.
And funny think is that when you use such software, webproxy is not able to log opening websites :smiley: :smiley: