Community discussions

MikroTik App
 
NSimpraga
newbie
Topic Author
Posts: 36
Joined: Fri Sep 27, 2019 2:47 pm

Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:10 pm

Greetings,

I've been reading up on the topic of blocking designated websites through a combination of:
  • Layer7 protocol with regexp capturing the designated URLs
  • Mangle rules which mark connections/packets using the Layer7 protocol
  • Firewall rules which drop the marked packets/connections
Since basically all the traffic between server & client is httpS, which means it's encrypted and unreadable by anyone except the client & site it's connected to (even the router it's passing through), that should mean that it's impossible to use the Layer7 protocol to capture any packets by the URL of the website the client is connecting to? Which would mean that the whole concept of blocking websites on the network layer of things is impossible now, at least only using a router? Not taking solutions like IPS/IDS into account here.

Can anyone tell me if this is correct? Thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:14 pm

Why this provocatory question "really impossible?"
Is already wroten dozen of time on dozeon of post.

Fact for HTTP/HTTPS URL:

Block only domain withouot know the full url:
On HTTPS with TLS 1.2 or less: possilble with SNI
On HTTPS with TLS 1.3 or higher: actually possible like 1.2,
but on future can be impossible on wanted sites because the use of Encrypted SNI (ESNI) increase over time.

EDIT 2021/08/07: Does not work, regardless protocol version, if TLS handshake frame is fragmented into multiple TCP segments (packets)

Block domain with or withouot know the full url:
On HTTP is possible to block the domain, or one single path, or one single page on that domain.

Obviously for IP, not for direct use of domain, is another question.
But single CDN can serve thousand of domain, also one wanted...
Last edited by rextended on Sat Aug 07, 2021 11:18 am, edited 4 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:22 pm

And about
  • Layer7 ...
  • Mangle ... using the Layer7 protocol inspector
  • Firewall ... drop the marked packets/connections
Is better to put directly on /firewall filter the "drop if layer7 contain"
Last edited by rextended on Wed Jul 28, 2021 6:59 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:23 pm

On HTTPS with TLS 1.3 or higher: impossible because use Encrypted SNI (ESNI)

TLS 1.3 implements ESNI but doesn't enforce it (over SNI), so even if https connection is using TLS v1.3 (enhanced ciphers, ...) it might still use SNI. ESNI requires some additional setup (on DNS servers for web server's domain), not everybody implemented that part.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:24 pm

Yes, need to pay $$$ for IDP and other services.........
Maybe ivp6 solve all issues ... like RoS7 LOL......... ??
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:24 pm

not everybody implemented that part.
Is the true, but for be short I do not want write that, because on future we can't count on that...

@anav IDP for Deep Packet Inspection (DPI)? :?

@NSimpraga IPS / IDS, stands for Intrusion Detection System & Intrusion Prevention System ???
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:29 pm

Instead of writing "impossible because use Encrypted SNI (ESNI)" you could have written "will become increasingly hard because of ESNI" and the answer would be correct.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:30 pm

@anav writes IDP because he doesn't like what DPI stands for: Deep Pocket Inspection LOL
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:31 pm

Yes when I had Zyxel routers one could pay through the nose for multiple types of services to block traffic.
Anti-malware protection with firewall, anti-virus, antispam, content filtering, IDP, next-generation application intelligence and SSL inspection

1- Anti-Virus
Powered by Kaspersky SafeStream II gateway anti-virus, Zyxel USGs provide comprehensive and real-time protection against malware threats before they enter the network. Zyxel USGs can identify and block over 650,000 viruses right at the gate and provide high-speed scanning with stream-based virus scanning technology.

2- Anti-Spam
With a cloud-based IP reputation system, Zyxel anti-spam can deliver accurate, zero-hour spam outbreak protection by analyzing up-to-the-minute sender reputation data from highly diverse traffic sources. It can detect spam outbreaks in the first few minutes of emergence regardless of spam language or format.

3- Application Intelligence
Zyxel’s USG Advanced Series can identify, categorize and control over 3,000 social, gaming, productivity, and other Web applications and behaviors. Users can prioritize productive applications, throttle acceptable ones, and block unproductive applications to boost productivity and prevent bandwidth abuse.

4- SSL Inspection
SSL inspection enables the Zyxel Advanced Series to provide not only comprehensive security, but also deeper policy enforcement. It enables the USG’s application intelligence, IDP, content filtering and anti-virus to inspect traffic in SSL encrypted connections and block threats that usually go unseen.


5- Content Filtering
Zyxel content filtering helps screen access to websites that are not business related or malicious. With a massive, cloud-based database of over 140 billion URLs that are continuously analyzed and tracked, Zyxel provides highly accurate, broad and instant protection against malicious Web content.

Zyxel Intrusion Detection and Prevention (IDP)
Security Service
Guards your business from a wide range of attacks and suspicious activities – such as SQL injection, DoS and malicious backdoor applications.

Threat prevention with SSL inspection
Secure Sockets Layer (SSL) encryption has seen extensive worldwide proliferation, with many popular Web and cloud-based services like Dropbox and Gmail offering users the ability to have their entire sessions encrypted. Unfortunately, attackers are also turning to encryption to evade detection, increasing the prevalence of malicious activity. Enterprises now face the challenge of how to inspect incoming and outgoing traffic for threats under SSL encryption.

SSL inspection is the key to protecting your network from these threats. Zyxel IDP service supports SSL inspection, helping to scan the content at a URL accessed over SSL to apply policies and detect malware and viruses at the URL level. This action blocks threats that are hidden in SSL encrypted connections and facilitates deeper policy enforcement.

Full coverage of network threats
Zyxel Intrusion Detection and Prevention (IDP) supports layer 7 context-aware threat analysis, as well as behavior analysis, for detection of encrypted threats and applications to protect against both client-side and server-side vulnerabilities. The IDP signature can identify a wide variety of malware threats and attacks such as Trojans, backdoor applications, and DoS attacks, as well as other security hazards. We provide full protection, whether facing anomaly-based or vulnerability-based threats
Last edited by anav on Wed Jul 28, 2021 6:34 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:34 pm

@mkx, please check if redacted version is better
Instead of writing...



IDP:
ZyWALL Intrusion Detection and Prevention (IDP)
Last edited by rextended on Wed Jul 28, 2021 6:37 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:35 pm

That would take too much work, cutting and pasting is easy for an old fart like me...........
If you buy me the largest IPAD, I can do that but from my iphone12 mini, .........................

The fact is, I got tired of selling mumbo jumbo to my customers and not even sure if they worked and I could never set them up properly anyway.

What I did like was the check box labelled LOOPBACK. Yes a checkbox for hairpin NAT lol............ I was so lazy then. Now I have to at least pretend I know what I am doing.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:39 pm

Yes, DPG would be more accurate Deep Pocket Gouging...............
PS. Mkx I havent finished with the dns questions... hint!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is blocking websites by URL really impossible?

Wed Jul 28, 2021 6:42 pm

@mkx, please check if redacted version is better

Much better :-)
 
NSimpraga
newbie
Topic Author
Posts: 36
Joined: Fri Sep 27, 2019 2:47 pm

Re: Is blocking websites by URL really impossible?

Wed Aug 04, 2021 12:44 pm

Thanks for the answers everyone.
Regarding IPS / IDS - yes, I meant Intrusion Detection/Prevention system.

I am still struggling to block any websites using the TLS Host option.
The config for the option: add action=drop chain=forward dst-port=443 in-interface=LAN-bridge protocol=tcp tls-host=*.test.com

All the clients can normally open the https://www.test.com website. Nothing is being blocked. Checked the TLS version for the site - it uses TLS 1.2
Explanation?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is blocking websites by URL really impossible?

Wed Aug 04, 2021 9:32 pm

Make sure you don't fasttrack packets, belonging to https connections, above your L7 filter rule. The L7 filter rule can only kick in after initial 3-way TCP handshake finishes, at that time the connection is already established.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is blocking websites by URL really impossible?

Wed Aug 04, 2021 11:56 pm

@mkx, also I discover than if packet is fragmented, tls-host do not work... I do not know why, I'm expecting defragment before check, but do not happen....
 
NSimpraga
newbie
Topic Author
Posts: 36
Joined: Fri Sep 27, 2019 2:47 pm

Re: Is blocking websites by URL really impossible?

Fri Aug 06, 2021 2:30 pm

Make sure you don't fasttrack packets, belonging to https connections, above your L7 filter rule. The L7 filter rule can only kick in after initial 3-way TCP handshake finishes, at that time the connection is already established.
Well for the TLS Host blocking method, L7 is not even needed? L7 only works for non-encrypted connections.
@mkx, also I discover than if packet is fragmented, tls-host do not work... I do not know why, I'm expecting defragment before check, but do not happen....
It could be due to this, but not sure how I can be sure of the actual reason it's failing.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is blocking websites by URL really impossible?

Fri Aug 06, 2021 10:46 pm

@rextended explained in post #2 that even with TLS it is still possible to block on by host basis if SNI is in use (ESNI breaks this possibility). This is still L7 (because it is inside established client-server communication), although only a fraction of it.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Is blocking websites by URL really impossible?

Fri Aug 06, 2021 11:04 pm

@mkx, also I discover than if packet is fragmented, tls-host do not work... I do not know why, I'm expecting defragment before check, but do not happen....
That is referenced already...
Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).

Source: https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
 
User avatar
kiler129
Member
Member
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Is blocking websites by URL really impossible?

Sat Aug 07, 2021 1:57 am

Both Chrome, Safari, and FF are now supporting HTTP/3 out of the box (disabled by default). CloudFlare and other CDNs (which basically drive most of the internet nowadays) started enabling HTTP/3 by default. Soon all browsers will enable HTTP/3 by default - you cannot do anything there.
You can try breaking user's experience by blocking HTTP/3, downgrading them to TLS 1.2 etc but.... no, it's not a sustainable solution.

So in practice it's not IMPOSSIBLE but highly impractical and bad.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is blocking websites by URL really impossible?

Sat Aug 07, 2021 11:19 am

@mkx, also I discover than if packet is fragmented, tls-host do not work... I do not know why, I'm expecting defragment before check, but do not happen....
That is referenced already...
Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).

Source: https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
That note are not present before? "last edited on 16 February 2021"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is blocking websites by URL really impossible?

Sat Aug 07, 2021 11:21 am

So in practice it's not IMPOSSIBLE but highly impractical and bad.
This is the synthesis...

Who is online

Users browsing this forum: AkosGergely, bp0, Google [Bot], GoogleOther [Bot], rplant and 95 guests