Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 40 replies
  • Subscribers 1 subscriber
  • Views 26948 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ultra Surf 8.8 How to block?

Surfman1124
We have had several students find this new filter work around. It's called Ultra Surf from www.wujie.net

It comes from Ultrareach and has been very hard to stop. Has anyone run into this Anonymous proxy?
We have found the the program runs on port 9666.
We blocked all outbound traffic on 9666. Still will not stop it.
Found a forum that says to block server 67.15.183.30. Still will not stop it.
It has to be some sort of bot that has servers all over the place that it changes ports and server IP's.

Anyone, Anyone?


This thread was automatically locked due to age.
  • 0
    We have had several students find this new filter work around. It's called Ultra Surf from www.wujie.net

    It comes from Ultrareach and has been very hard to stop. Has anyone run into this Anonymous proxy?
    We have found the the program runs on port 9666.
    We blocked all outbound traffic on 9666. Still will not stop it.
    Found a forum that says to block server 67.15.183.30. Still will not stop it.
    It has to be some sort of bot that has servers all over the place that it changes ports and server IP's.

    Anyone, Anyone?

    just about every proxy software and p2p client will now do an internal portscan against your firewall if it finds itself blocked.  I bet it is falling back to port 80 and/or 443.  Other than routing them through a standard proxy(instead of transparent) and locking it down that way there's no easy way to block traffic like this.  Make a strong policy that includes removal of network access and strictly and rapidly enforce it.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    Even better would be an IPS rule (one that we could either add manually, or be able to select as a "Policy" rule, like in Version 6) that could detect a pattern of traffic that indicates that particular app is being used.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    After a little more investigation:

    It has no install, and users can rename the file to anything and it still works.
    All traffic is through Https, and it will search the internet for several sites of proxies for the fastest ones.
    We tried to lock down the desktops in the district to not allow running of exe's on removable storage with the Group policy. Administration screamed that kids that purchased thumb drives with an exe program that will re-letter the thumb drive to an open letter could not use them. 
    We have to keep Https open for the all sites that teachers have found with "Educational Material on them" Yeah right! [8-)]Another way for them to check their checkbook balance online, at school.
  • 0 in reply to Surfman1124
    A custom IPS rule may be the only way to block this effectively... unfortunately, I haven't been able to find one prebuilt (some time with TCPDUMP and an example system would give one the info needed to build it, though)... the real problem is that current Version 7 does not allow the addition of custom IPS rules... although I hear that will be changing soon.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    I have the same problem here.
    I've difficulties to block this program...
    So how to block this Ultra Surf ???
    Need advice please
  • 0 in reply to 1771k3
    UltraSurf 8.9 doesn't have proxy authentication module.
    I configured the box using basic user authentication.
    And it works... UltraSurf can't do anything [:D]
  • 0 in reply to 1771k3
    it would be nice if i was possible to block all public web proxy's. extending the http filter with anonymous- web proxy's would be realy great.
  • 0 in reply to kuijlaars
    it would be nice if i was possible to block all public web proxy's. extending the http filter with anonymous- web proxy's would be realy great.


    can't filter what you can't read.  ultrasurf encrypts the traffic going out..this means the proxy can't see what hte3 traffic is so it's effectively blinded.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    ultra surf uses https port 443 to connect to its parent proxy. Find the IPs of the proxies that it is connecting to and create a packet filter rule to deny the connection.
  • 0 in reply to Billybob
    There is another possibility now with the advent of the new AFC engine in 7.200 ... perhaps Astaro may use it in the future to analyze and block programs like these as well...

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.