How to Blocking ULtrasurf?

will url filtering using iRule help meaning there is some url that ultrasurf will always be going

 

also understand that ultrasurf used encrypted channel as well which is simply ssl only. ssl termination will be good as well

just curious if you block client hello, won't it block all access to https website??

Hi Nitass,the irule is only block the client ssl hello that have signature 804c010300003300000010 (in hex) , not all ssl, because on my testing the ultrasurf have that signature on the client ssl hello.

 

Regards

 

-Petruk

 

Hi BT,

 

 

We cannot use URL filtering , because the traffic is ecrypted and we cannot do ssl termination, because no certificate and private key to decrypt.

 

 

Thanks n regards

 

-Petruk

 

Hi Petruk, was thinking if LTM is placed as proxy before traffic outgoing, will the clientssl be used? kind of changing the game into reverse proxy instead. Nonetheless I heard there is forward ssl proxy coming up that may be more applicable. As long as we can terminate the ssl I believe blocking should be trivial.

the irule is only block the client ssl hello that have signature 804c010300003300000010 (in hex) , not all ssl, because on my testing the ultrasurf have that signature on the client ssl hello.have you seen the log (in CLIENT_DATA) in ltm log file?

The client ssl hello for that pattern is blocked by this irule, there is no server ssl hello. But i dont know why i still see encrypted traffic.have you tried "reset" instead of "drop"?

----> we found error on the ltm log file:

Oct 11 18:13:44 tmm err tmm[7531]: 01220001:3: TCL error: /Common/ultrasurf1 - can't read "payload_hex": no such variable while executing "class match $payload_hex equals signature_clientsslhello"

Oct 11 18:13:44 tmm err tmm[7531]: 01220001:3: TCL error: /Common/ultrasurf1 - can't read "payload_hex": no such variable while executing "class match $payload_hex equals signature_clientsslhello"

Oct 11 18:13:44 tmm err tmm[7531]: 01220001:3: TCL error: /Common/ultrasurf1 - can't read "payload_hex": no such variable while executing "class match $payload_hex equals signature_clientsslhello"you may check if binary scan return 1 before referring to payload_hex variable.

e.g.

if {[binary scan [TCP::payload 11] H22 payload_hex] == 1} {
   if {[class match $payload_hex equals signature_clientsslhello]} {
      log local0. "payload_hex = $payload_hex"
      drop
   }
}

binary scan

http://wiki.tcl.tk/4180

You might try adding some debug logging of [TCP::payload 11] as that should return 11 bytes of the collected payload. I don't see how binary scan wouldn't return a value for payload_hex if [TCP::payload 11] returns 11 bytes.

 

 

Anyhow, can you try logging this:

 

 

[binary scan [TCP::payload 11] H* payload_hex]

 

 

If that returns more than 22 characters, you might try replacing the H22 with H* and use

 

 

if {[class match $payload_hex contains signature_clientsslhello]} {

 

 

Aaron

Also, I'm not sure if you want to continuously collect the payloads. Can you collect enough bytes just once in the initial connection to find the bad byte pattern?

when CLIENT_ACCEPTED {
if { [class match [IP::local_addr] equals block_ip_ultrasurf ] } {
log local0. "block ip = [IP::local_addr]"
drop
} elseif {[TCP::local_port] == 443} {
TCP::collect 100
}
}

when CLIENT_DATA {
binary scan [TCP::payload] H* payload_hex
log local0. "payload_hex ([string length $payload_hex] chars) = $payload_hex"

if {[class match $payload_hex contains signature_clientsslhello]} {
drop
}
TCP::release
}

Aaron

Thanks Nitass and Hoolio, the error log is not appeared again. But we still cannot block ultrasurf , eventhough the client ssl hello is droped or rejected.

 

Ultrasurf is still able to send the ssl encrypted traffic, . I test this with version ultrasurf 10.0.1

 

we checked on the pcap file there is no ssl server hello send from ultrasurf server to client, Is it possible to create ssl encrypted traffic without client ssl hello or server ssl hello?