Ultrasurf how to block

Hello someone can tell me how to block Ultrasurf… any solution.

Not a direct solution but here are some related old answers:

1 Like

When I look on the web, most of paid solution (sophos, fortinet, paloalto, mcafee, …) are using DPI (Deep Packer Inspection) to decrypt the data (which are encrypted with SSL) to be able to identify the payload (it’s like the DNA but for data). Than these solution offer a plugin to add into the browser (chrome, firefox, …) to prevent the download of well-known threat. Example: https://cookbook.fortinet.com/blocking-ultrasurf/index.html

Suricata or DPI

By using Nethserver as gateway with these plugin, you might be able to block the EXE, but these plugins are also resource consuming.

  • Suricata = Intrusion Prevention System (nethserver-evebox, nethserver-suricata)
  • DPI = Deep packet inspection (nethserver-ndpi)

If we analyze what Ultrasurf it create a tunnel over the protocol HTTPS

So Mikrotik propose to block any traffic from you LAN on the port 443 which should be allowed only for a webserver anyway. ref: https://wiki.mikrotik.com/wiki/How_to_Detect_and_Block_UltraSurf_program_traffic

By logging this rules you will know which machine is infected and they will not being able to communicate with the Internet.

Egress filtering

Filtering the outside traffic is a common practice for big organization.

1 Like