I have found out this application called ULTRASURF,which bypasses all possible firewalls.
The native firewall on vista is able to block this application & some software firewalls as zonealarm are able to detect it
It works on tcp port 9666,but just blocking this port doesn't help as it work on both port 80 & 443.
it also uses a lot of open proxies which are:-
Any updates as to how do we block this,its giving me sleepless nights as keep thinking of ways to block it at all possible times.
I have been looking into this for similar reasons. Option 1 from what I have found is to have your DNS servers referencing one of the RBL's that keep track of the open proxy sites. That seems to help. Option 2 involves adding a 3rd party product called WebSense that appears to have the ability to block proxy trafic like this.
This is what I have found so far.
Organizations under pressure to keep students and employees from bypassing internet filters using client technologies, like UltraSurf are in a perpetual game of cat and mouse.
A network admin I know used these steps to block it on his Sonicwall:
Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:
Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
Application object type must be “Custom object”
Match Type must be “Exact Match”
Input Representation must be “Hexadecimal”
Then add Content “140300000101″
Then go to Object Policy/Application Firewall Policy Settings:
Policy name: write whatever you want
Policy type “Custom Policy”
Adress Source “Any”, Destionation “Any”
Service Source “Any”, Destionation “Any”
Exclusion Adrsss “None”
Application Object “Ultra Object” **Select the object which you write in the first section
Users/Group Included “All”, Excluded “None”
Schedule “Always On”
Enable loging “Check”
Redundancy Filters “Use Global settings checked”
Connection Side “Client Side”
Direction “Basic” Both
Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies. :
Source of above info :
I also just found that NetSpective Web Filter is also capable of blocking Ultra Surf Application..
Thanks for all your help & support,actually i have a sonicwall in my office & i already had come accross the solution that you specified,actually i somehow have to manage to do this on a watchguard or an Asa.
Now that would be kinda tricky,lets see how that goes.
Please update me as to how that goes.
Thanks & Regards,
There is a command "ip audit signature" in ASA.to attach a policy to a signature.
Check if the following link provide some help.
Here is a sample ASA config file :
I think that signature based blocking can be done using WATCHGUARD also.
I am searching for the solution.. I'll update as soon as I get something useful..
I have a watchguard X1250e,your doccument looks good but we are not sure that this will do the needful on the Watchguard,i am in touoch with the watchguard guys & it seems even they are stumped by this application maybe we may have to work with the signature that we have.
Please let me know if you have any inputs.
Chetan i really appericiate your genuine helping nature.
Thanks a ton,