Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 30 subscribers
  • Views 9259 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Apple iPhone and iPads using ‘Psiphon Proxy’?

shred

I’ve recently started using the Application Filter feature of Sophos XG, mostly to block any high risk apps. I noticed in my application logs that all of my Apple iPhone and iPads are trying to use a “Psiphon Proxy” at random times that is being blocked. I’m curious if anyone else with Application Filters notices similar behavior with Apple products. Is this legitimate or perhaps a misclassification? None of the Apple devices use any apps that utilize a Psiphon Proxy  (that I’m aware of) and it appears to be trying to access when the phones aren’t necessarily in use. Here is the firewall log:

messageid="17051"

log_type="Content Filtering"

log_component="Application"

log_subtype="Denied"

fw_rule_id="5"

user=""

user_group=""

appfilter_policy_id="10"

category="Proxy and Tunnel"

app_name="Psiphon Proxy"

app_risk="5"

app_technology="Client Server"

app_category="Proxy and Tunnel"

src_ip="172.16.16.27"

src_country="R1"

dst_ip="151.101.129.254"

dst_country="USA"

protocol="TCP"

src_port="55822"

dst_port="443"

bytes_sent="0"

bytes_received="0"

status="Deny"

message=""

appresolvedby="Signature"



This thread was automatically locked due to age.
  • 0

    Hi,

    indeed I've test on one of my site with app restriction and there are a few (very few, as 10 packets in several days) psiphon blocked connections. Same, on this site I'm sure noone has installed that on purpose.

  • 0

    I have noticed a lot of false positives with the Psiphon tunnels in my user's networks. I haven't had a chance to track down the source yet, but Apple products creating this could explain some things. 

  • 0 in reply to Joe Plunkett

    I searched the destination IP at VirusTotal.com and the 'Passive DNS Replication' results are returning a bunch of Airbnb addresses, so I suspect it's something to do with Airbnb. I do have the Airbnb app installed on my iOS devices. However, all of these entries in the log occurred when I was not using the Airbnb app and when I am actively using the Airbnb app, it's not showing up in the logs. I've turned off 'Background App Refresh' for the Airbnb app in my iOS devices to see if this "fixes" the issue.

  • 0 in reply to shred

    I've seen this "psiphon proxy" activity from an Android phone of my family.

    There is no Airbnb app on this phone.

    I also see occasionally,  a few other blocked proxy applications,  from both android and ios devices,

    but not my device.

    I suspect some kind of attempted traffic from these freeware applications (games, etc) that I don't use on my phone.

  • 0 in reply to kiriak

    I'm also seeing this coming from my MacBook Air except the source IP is coming from the internet (54.204.10.134) and the destination is my MacBook Air.

    After removing the Airbnb app from my iPhone, I'm no longer seeing this but like you mentioned, it's obviously not just Airbnb that's causing these 'Psiphon Proxy' blocks by the Application Filter. I'm guessing some apps just utilize some sort of connection that Sophos XG classifies as 'Psiphon Proxy' and blocks. Would be nice if we could figure out what exactly is causing these to determine if they're actually being classified properly.

  • 0 in reply to shred

    I also see many Psiphon Proxy being blocked and I can state that many are Apple iPads and as I control the Apps on them can guarantee they have nothing installed.

    I guess the XG just classifies some traffic as dodgy when its not.