Re: Blocking Ultrasurf in PIX

andre.ortega · ‎09-24-2009

Hi,

How can I block Ultrasurf applicantion in a PIX?

Regards.

tprendergast · ‎09-24-2009

There are a few ways.

1) Install the product, fire up a sniffer, launch the product, identify the subnets it talks to for their proxy servers. Block those by IP.

2) Block these IP Ranges (allocated to them by ARIN)

Ultrareach Internet Corp EVRY-229 (NET-67-15-183-0-1) 67.15.183.0 - 67.15.183.127

UltraReach Internet Corp. EVRY-231 (NET-67-15-151-64-1) 67.15.151.64 - 67.15.151.127

3) Put a null route to those networks in at your edge or inside network so the traffic goes nowhere.

You can get more ideas, but that is a good start. Basically, Ultrasurf uses an encrypted connection to a set of proxy servers in their IP space. If you cutoff access to their IP space, you are effectively neutering their product and making it useless.

Cheers,

Tim

andre.ortega · ‎09-24-2009

Not work because the ip range every change. Here ultrasurf is using 65.49.2.121 now.

Regards.

tprendergast · ‎09-24-2009

Watch the packet capture... it must be doing a DNS query to resolve those IP addresses. Look into the DNS packet and block all IPs associated to that A-record, or put in an A-record for that DNS name on your DNS servers and send it to 127.0.0.1. This will blackhole the client.

The Pix, without deep packet inspection for URLs, won't be much help here.

You could enable the URL filtering with Websense and see if they block it, but that would be about as much as you could do.