Scribd Logo
Carica

Benvenuto in Scribd!

  • Guide To Completely Block Ultrasurf in A Mikrotik Network

    Caricato da

    Pérez Javier Francisco
    191 visualizzazioni6 pagine
    The document provides instructions for completely blocking the program Ultrasurf in a Mikrotik network. It describes Ultrasurf as a proxy program that allows anonymous internet access by masking the user's IP address. The summary outlines the blocking procedure, which involves creating address lists of Ultrasurf servers, dropping connections from users to those servers for 30 seconds, marking and dropping packets destined for secondary Ultrasurf servers, and denying DNS requests during that time period. A script is provided to implement these rules using Mikrotik's IP firewall and mangle tables.

    Descrizione originale:

    bloquea ultrasurf mikrotik

    Titolo originale

    bloquear ultrasurf

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document provides instructions for completely blocking the program Ultrasurf in a Mikrotik network. It describes Ultrasurf as a proxy program that allows anonymous internet access by masking the user's IP address. The summary outlines the blocking procedure, which involves creating address lists of Ultrasurf servers, dropping connections from users to those servers for 30 seconds, marking and dropping packets destined for secondary Ultrasurf servers, and denying DNS requests during that time period. A script is provided to implement these rules using Mikrotik's IP firewall and mangle tables.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    191 visualizzazioni6 pagine

    Guide To Completely Block Ultrasurf in A Mikrotik Network

    Caricato da

    Pérez Javier Francisco
    The document provides instructions for completely blocking the program Ultrasurf in a Mikrotik network. It describes Ultrasurf as a proxy program that allows anonymous internet access by masking the user's IP address. The summary outlines the blocking procedure, which involves creating address lists of Ultrasurf servers, dropping connections from users to those servers for 30 seconds, marking and dropping packets destined for secondary Ultrasurf servers, and denying DNS requests during that time period. A script is provided to implement these rules using Mikrotik's IP firewall and mangle tables.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 6

    GUIDE TO COMPLETELY BLOCK

    ULTRASURF IN A MIKROTIK NETWORK

    WHAT IS ULTRASURF?
    Ultrasurf is a proxy-type program developed by Ultrareach Internet Corporation, to surf the
    internet "anonymously" and achieve mask the IP address to jump almost any access
    restriction set out in the local network.
    When run, it connects to its servers via secure connections and creates a kind of "VPN"
    through which it will pass all traffic and so mocks the strictures imposed on the network. The
    firewall will only have connections to a single address, UltraSurf, being encrypted, it can not
    see what kind of traffic is going on out there, this allows us to enter unauthorized or blocked
    pages in our region.
    It is a very famous program on university environments, schools, private companies,
    government institutions, call centers and many other places where people need to enter or
    improper sites that have not been authorized by its administration.

    GETTING DEEPER:
    Ultrasurf, uses many methods to connect to their servers and not be detected by security
    systems. Almost no firewall does intervene secure connections so it is the first mode you use.
    If it can not find primary servers, will try to locate their secondary servers. Finally, their tactic
    is to go through other servers to reach their destination, they would be those who are almost
    never blocked or denied, those of google, amazon, CloudFront, among others.
    When connected with Ultrasurf, it enters a "Internet cloud" where other users are online and
    automatically, the user becomes a host and will help other people achieve their connection,
    through ours. This seriously compromises the security of the network, the user can become
    infected with any malware.
    As previously mentioned, initially connections are created by the TCP 443 port to
    communicate with their primary and secondary servers, then to find domains most
    commonly used, performs DNS requests, UDP port 53, even tries to get addresses making
    requests NBNS by the UPD port 137.

    Steven Vega Ramrez MTCTCE


    stevenvegar@gmail.com

    San Jos, Costa Rica


    March 2016

    - ULTRASURF SERVERS:
    Primaries: They are housed in the company CloudFlare, a data center that specializes in
    providing services similar to UltraSurf proxy. The blocks of these servers are:
    104.20.61.0/24

    104.20.62.0/24

    Secondary: Those come from a North American Center called CoreSpace, which use
    hundreds and hundreds of IPs, are summarized as possible, would be the:
    63.249.128.0/17
    66.34.0.0/16
    69.13.0.0/16
    216.97.0.0/17

    64.182.0.0/16
    66.221.0.0/16
    209.164.64.0/18
    216.221.160.0/19

    Terciarios: We have identified several domains that UltraSurf tries to connect, but do
    not have the IP address, so its DNS consult the following names:
    Google.com
    Amazonaws.com
    tfn.net.tw
    Hinet.net

    Steven Vega Ramrez MTCTCE


    stevenvegar@gmail.com

    San Jos, Costa Rica


    March 2016

    Mail.google.com
    Cloudfront.net
    He.net
    DigitalUnited.nl

    Graphically we can understand a little better how it works:

    What actions we will take:

    Steven Vega Ramrez MTCTCE


    stevenvegar@gmail.com

    San Jos, Costa Rica


    March 2016

    BLOCKING PROCEDURE
    There are several ways to prevent a user from the local network can not access servers
    UltraSurf, I will explain in detail the most effective and reliable.
    We will create a static "address list" where will have the addresses of the primary servers
    called "UltraSurf CloudFlare." Then we'll do another dynamic "address list", which will name
    "UltraSurf Users Drop" where it will collect the source addresses when someone is trying to
    connect to "UltraSurf CloudFlare" servers and will remain on that list for 30 seconds. Next,
    we establish a rule for the firewall discard or "drop" all connections which have as their origin
    "UltraSurf Users Drop" and destination "UltraSurf CloudFlare."
    Then, we will do several rules to mark the packets that are destined for the secondary servers
    from any IP from our LAN, because those are not significant or have not relevant service,
    these packages will brand them "UltraSurf". After this, we will make a rule to discard all
    packages containing the mark "Ultrasurf".
    Finally, we discard all DNS traffic, UDP port 53, in both senses of the "address list" "UltraSurf
    Users Drop" and thus deny only for 30 seconds user navigation.
    Additionally we can establish an "address list" where enter all IP addresses that have tried to
    connect to "UltraSurf CloudFlare" but did not specify discard time, and will be marked and
    the network administrator will know who are the users who try to outwit and overcome the
    network security.
    With this configuration, users who try to use UltraSurf, their navigation will be out only 30
    seconds, because we would be denied access to DNS port and can not resolve the name of
    any domain. Other services or applications that communicate by other ports will not be
    affected during those 30 seconds, as long as the change does not affect them local proxy that
    does UltraSurf. It has been tested more than 100 consecutive times with the same result,
    with several versions of the program, the date of March 2016.
    Any additional questions can be reached via email. I hope this guide helps someone you need
    to do this procedure on a network, also to show that the Mikrotik devices are the best.
    Greetings from San Jos, Costa Rica.

    Steven Vega Ramrez MTCTCE


    stevenvegar@gmail.com

    San Jos, Costa Rica


    March 2016

    SCRIPT FOR BLOCKING ULTRASURF


    /ip firewall address-list
    add address=104.20.61.0/24 list="UltraSurf CloudFlare"
    add address=104.20.62.0/24 list="UltraSurf CloudFlare"
    /ip firewall filter
    add action=add-src-to-address-list address-list="UltraSurf Users Drop" address-listtimeout=30s chain=forward comment="UltraSurf Users Drop" dst-address-list="UltraSurf
    CloudFlare"
    add action=add-src-to-address-list address-list="UltraSurf Users" chain=forward
    comment="UltraSurf Users" src-address-list="UltraSurf Users Drop"
    add action=drop chain=forward comment="Drop UltraSurf CloudFlare" dst-addresslist="UltraSurf CloudFlare"
    add action=drop chain=forward comment="Drop UltraSurf CoreSpace" packetmark=UltraSurf
    add action=drop chain=forward comment="Drop UltraSurf Users" port=53 protocol=udp
    src-address-list="UltraSurf Users Drop"
    /ip firewall mangle
    add action=mark-packet chain=prerouting comment="CoreSpace UltraSurf" dstaddress=63.249.128.0/17 new-packet-mark=UltraSurf
    add action=mark-packet chain=prerouting dst-address=64.182.0.0/16 new-packetmark=UltraSurf
    add action=mark-packet chain=prerouting dst-address=66.34.0.0/16 new-packetmark=UltraSurf
    add action=mark-packet chain=prerouting dst-address=66.221.0.0/16 new-packetmark=UltraSurf
    add action=mark-packet chain=prerouting dst-address=69.13.0.0/16 new-packetmark=UltraSurf
    add action=mark-packet chain=prerouting dst-address=209.164.64.0/18 new-packetmark=UltraSurf
    add action=mark-packet chain=prerouting dst-address=216.97.0.0/17 new-packetmark=UltraSurf
    add action=mark-packet chain=prerouting dst-address=216.221.160.0/19 new-packetmark=UltraSurf

    Steven Vega Ramrez MTCTCE


    stevenvegar@gmail.com

    San Jos, Costa Rica


    March 2016

    Adresses List, CloudFlare IPs, UltraSurf Users IPs:

    Firewall Filter denying connections to UltraSurf servers:

    Firewall Mangle, marking packets of UltraSurf CoreSpace servers

    Result

    Steven Vega Ramrez MTCTCE


    stevenvegar@gmail.com

    San Jos, Costa Rica


    March 2016

    Potrebbero piacerti anche