GUIDE TO COMPLETEL COMPLETELY Y BLOCK ULTRASURF IN A MIKROTIK NETWORK
WHAT IS ULTRASURF? Ultrasurf is a proxy-type program developed by Ultrareach Internet Corporation, to surf the internet "anonymously" and achieve mask the IP address to jump almost any access restriction set out in the local network. When run, it connects to its servers via secure connections and creates a kind of "VPN" through which it will pass all traffic and so mocks the strictures imposed on the network. The firewall will only have connections to a single address, UltraSurf, being encrypted, it can not see what kind of traffic is going on out there, this allows us to enter unauthorized or blocked pages in our region. It is a very famous program on university environments, schools, private companies, government institutions, call centers and many other places where people need to enter or improper sites that have not been authorized by its administration.
GETTING DEEPER: Ultrasurf, uses many methods to connect to their servers and not be detected by security systems. Almost no firewall does intervene secure connections so it is the first mode you use. If it can not find primary servers, will try to locate their secondary servers. Finally, their tactic is to go through other servers to reach their destination, they would be those who are almost never blocked or denied, those of google, amazon, CloudFront, among others. When connected with Ultrasurf, it enters a "Internet cloud" where other users are online and automatically, the user becomes a host and will help other people achieve their connection, through ours. This seriously compromises the security of the network, the user can become infected with any malware. As previously mentioned, initially connections are created by the TCP 443 port to communicate with their primary and secondary servers, then to find domains most commonly used, performs DNS requests, UDP port 53, even tries to get addresses making requests NBNS by the UPD port 137.
Steven Vega Ramírez – MTCTCE
San José, Costa Rica
- ULTRASURF SERVERS: Primaries: They are housed in the company CloudFlare, a data center that specializes in providing services similar to UltraSurf proxy. The blocks of these servers are:
104.20.61.0/24
104.20.62.0/24
Secondary: Those come from a North American Center called CoreSpace, which use hundreds and hundreds of IPs, are summarized as possible, would be the:
63.249.128.0/17 66.34.0.0/16 69.13.0.0/16 216.97.0.0/17
64.182.0.0/16 66.221.0.0/16 209.164.64.0/18 216.221.160.0/19
Terciarios: We have identified several domains that UltraSurf tries to connect, but do not have the IP address, so its DNS consult the following names:
Google.com Amazonaws.com tfn.net.tw Hinet.net
Steven Vega Ramírez – MTCTCE
Mail.google.com Cloudfront.net He.net DigitalUnited.nl
San José, Costa Rica
2
Graphically we can understand a little better how it works:
What actions we will take:
Steven Vega Ramírez – MTCTCE
San José, Costa Rica
3
BLOCKING PROCEDURE There are several ways to prevent a user from the local network can not access servers UltraSurf, I will explain in detail the most effective and reliable. We will create a static "address list" where will have the addresses of the primary servers called "UltraSurf CloudFlare." Then we'll do another dynamic "address list", which will name "UltraSurf Users Drop" where it will collect the source addresses when someone is trying to connect to "UltraSurf CloudFlare" servers and will remain on that list for 30 seconds. Next, we establish a rule for the firewall discard or "drop" all connections which have as their origin "UltraSurf Users Drop" and destination "UltraSurf CloudFlare." Then, we will do several rules to mark the packets that are destined for the secondary servers from any IP from our LAN, because those are not significant or have not relevant service, these packages will brand them "UltraSurf". After this, we will make a rule to discard all packages containing the mark "Ultrasurf". Finally, we discard all DNS traffic, UDP port 53, in both senses o f the "address list" "UltraSurf Users Drop" and thus deny only for 30 seconds user navigation. Additionally we can establish an "address list" where enter all IP addresses that have tried to connect to "UltraSurf CloudFlare" but did not specify discard time, and will be marked and the network administrator will know who are the users who try to outwit and ov ercome the network security. With this configuration, users who try to use UltraSurf, their navigation will be out only 30 seconds, because we would be denied access to DNS port and can not resolve the name of any domain. Other services or applications that communicate by other ports will not be affected during those 30 seconds, as long as the change does not affect them local proxy that does UltraSurf. It has been tested more than 100 consecutive times with the same result, with several versions of the program, the date of March 2016. Any additional questions can be reached via email. I hope this guide helps someone you need to do this procedure on a network, also to show that the Mikrotik devices are the best. Greetings from San José, Costa Rica.
Steven Vega Ramírez – MTCTCE
San José, Costa Rica
4
SCRIPT FOR BLOCKING ULTRASURF /ip firewall address-list add address=104.20.61.0/24 list="UltraSurf CloudFlare" add address=104.20.62.0/24 list="UltraSurf CloudFlare" /ip firewall filter add action=add-src-to-address-list address-list="UltraSurf Users Drop" address-listtimeout=30s chain=forward comment="UltraSurf Users Drop" dst-address-list="UltraSurf CloudFlare" add action=add-src-to-address-list address-list="UltraSurf Users" chain=forward comment="UltraSurf Users" src-address-list="UltraSurf Users Drop" add action=drop chain=forward comment="Drop UltraSurf CloudFlare" dst-addresslist="UltraSurf CloudFlare" add action=drop chain=forward comment="Drop UltraSurf CoreSpace" packetmark=UltraSurf add action=drop chain=forward comment="Drop UltraSurf Users" port=53 protocol=udp src-address-list="UltraSurf Users Drop" /ip firewall mangle add action=mark-packet chain=prerouting comment="CoreSpace UltraSurf" dstaddress=63.249.128.0/17 new-packet-mark=UltraSurf add action=mark-packet chain=prerouting dst-address=64.182.0.0/16 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=66.34.0.0/16 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=66.221.0.0/16 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=69.13.0.0/16 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=209.164.64.0/18 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=216.97.0.0/17 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=216.221.160.0/19 new-packetmark=UltraSurf
Steven Vega Ramírez – MTCTCE
San José, Costa Rica
5
Adresses List, CloudFlare IPs, UltraSurf Users IPs:
Firewall Filter denying connections to UltraSurf servers:
Firewall Mangle, marking packets of UltraSurf CoreSpace servers
Result
Steven Vega Ramírez – MTCTCE
San José, Costa Rica
6
