How to block Ultrasurf

isaqellari · ‎04-18-2011

Hello,

Does anybody know how to block Ultrasurf , for the moment I have not been able to block it.

Best regards,
Ilir

edadios · ‎04-18-2011

Hello Ilir,

I have the below information for you. This is based on previosuly done packet captures, and access log checks.

You may have to do further packet captures, or access log checking, in case you have connectivity after configuring as such. The program, may have changed behaviour, and the access logs and captures will help you determine if that is the case.

I hope this infomration helps you.

Regards,

Eric

We had success with blocking Ultrasurf with the following procedures, using WSA.

Prerequisite for it to work:

--------
You need to lock down the internet access - only WSA is allowed to go out to the Internet, the rest of connections from the clients has to be blocked at the firewall. You will need the Firewall to block out those random ports at the gateway as most proxy anonymizer software uses their own native ports to connect on top of HTTP and HTTPS.
--------

How we are approaching this, is to use HTTPS Proxy and SSL Decryption policies, two options.

1) Turn on HTTPS proxy and setup a new Decryption policy for the category "Filter Avoidance" to "Decrypt"

Under the URL Policies, setup one to block "Filter avoidance" as well.

It has also been observed that the reputation for those Ultrasurf proxy servers WBRS score tends to be around the range of -5.4, You could
adjust this accordingly under the decryption policies as well.

2) Set to decrypt all for all HTTPS connections even with a good or no WBRS score. Block Filter avoidance category, and also any score below -5.4.