topic Re: Ultrasurf Blocking Fail in General Topics

Ultrasurf Blocking Fail

Mohammad — Sun, 23 Feb 2014 16:38:10 GMT

Hi,

I am suferring from many failed attempts trying to block ultrasurf. i added the application to a deny policy on the top of my policies, but users keeps jumping to the allow policy. i tried to block unkown UDP/TCP apps, but it failed too. the applcation itself can't be blocked even though i blocked all the dependecies. i tried to do it on 5050 and 5060 on both PAN 5.0.11 and PAN-OS 6.0 with the most updated licenses.can some one help. i guess it's considered a huge problem

Re: Ultrasurf Blocking Fail

HULK — Sun, 23 Feb 2014 18:27:08 GMT

Few related discussions, it might help you:

Re: How to block Ultrasurf?

Re: Ultrasurf 13.03 appearing as unknown-tcp

Re: unknown-tcp / udp - please explain

Thanks

Re: Ultrasurf Blocking Fail

Retired Member — Mon, 24 Feb 2014 09:01:02 GMT

There is an open case for that.It is not fixed yet.

Re: Ultrasurf Blocking Fail

HULK — Mon, 24 Feb 2014 09:34:52 GMT

Could you please update the case ID here.

Thanks

Re: Ultrasurf Blocking Fail

Retired Member — Mon, 24 Feb 2014 09:37:11 GMT

00171473

Thanks for help

Re: Ultrasurf Blocking Fail

HULK — Mon, 24 Feb 2014 10:25:40 GMT

Engineering is still working on this BUG. Fix is not available yet.

Thanks

Re: Ultrasurf Blocking Fail

malswealmeen — Mon, 24 Feb 2014 11:26:40 GMT

the same story with kproxy and freegate !!!:smileyshocked:

Re: Ultrasurf Blocking Fail

cpainchaud — Mon, 24 Feb 2014 16:53:42 GMT

Hi,

Does it still happen with Decryption enabled and Block sessions that cannot decrypted ? With that my own tests show it cannot get through .... Also it's useless to say unknown-tcp and unknown-udp should be blocked ...

Re: Ultrasurf Blocking Fail

malswealmeen — Wed, 26 Feb 2014 20:23:39 GMT

Hi ,

the unknown-tcp and unknown-udp are blocked but should the PA block them without the need of ssl decryption policy ( i mean if we have the right signature of the application) ?!

Re: Ultrasurf Blocking Fail

Retired Member — Wed, 26 Feb 2014 20:56:13 GMT

with ssl decryption you will identify the real app. inside the ssl, so if you see only unknown tcp/udp , after decryption it will not change.

But if you see ssl, then it may change.

Until last version of ultrasurf, we were able to block it without decryption.

Re: Ultrasurf Blocking Fail

mbutt — Wed, 26 Feb 2014 20:57:25 GMT

I believe you have already opened a case but incase you have not i would recommend opening a case with support with the following information

1. Application version of Ultrasurf

2. pcap of the traffic from the client side

3. traffic logs during your testing

4. techsupport file

Hope this helps.

Thanks

Numan

Re: Ultrasurf Blocking Fail

Retired Member — Thu, 27 Feb 2014 08:01:46 GMT

This is not wokring with last version

even using a decryption profile, ultrasurf works.

Re: Ultrasurf Blocking Fail

mbutt — Thu, 27 Feb 2014 18:31:24 GMT

I have followed on the issue. This currently being investigated by engineering team.

Thank you

Numan

Re: Ultrasurf Blocking Fail

Kali — Tue, 04 Mar 2014 09:56:28 GMT

It seems ultrasurf has updated it's proxy network. based from the current version 13.04, PAN detects Ultrasurf and denies it. however it passes thru for some weird reasons and now the software calls for HE.NET which resides in the USA. i have responded to an older query regarding Ultrasurf but during that time, the software calls / connect to Taiwan (HINET) which i stated to block the whole country to prevent ultrasurf from connecting. What you can do for now is to double check your filters and make sure ultrasurf and unknown-tcp are on your app block-list. This may not be full proof but it can slow "ultrasurf" to a crawl (for the mean time). which i'm doing right now. Let's hope PAN team can resolve this quickly.

Re: Ultrasurf Blocking Fail

VinceM — Tue, 04 Mar 2014 10:45:17 GMT

Hi,

Same problem with TOR.

Re: Ultrasurf Blocking Fail

bpappas — Tue, 04 Mar 2014 17:28:31 GMT

My suggestion for all evasive apps like Ulrtrasurf, Tor, etc. is to open a support case when you find failure to block reliably. These apps are constantly evolving to try and evade control (evasive!). Once you have a support case open upload packet captures of the evasive traffic )capture it locally in your network) to the case. In many cases we find interesting regional differences in the application's evasion tactics. Having packet captures from your particular location is almost always a great help in determining what the app developer has added to the mix to try to fly under the radar.

-Benjamin

Re: Ultrasurf Blocking Fail

hyadavalli — Tue, 04 Mar 2014 17:44:45 GMT

Hello All,

I tested this on my firewall with latest App version (421) and it is being denied.

Regards,

Hari Yadavalli

Re: Ultrasurf Blocking Fail

malswealmeen — Tue, 04 Mar 2014 19:41:13 GMT

for the time being we blocked the proxies as follow :

1-ssl decryption

2-block unknown App

3-block unknown url's

plus the app policy to deny the proxy software

Re: Ultrasurf Blocking Fail

malswealmeen — Tue, 04 Mar 2014 19:52:16 GMT

try the following for TOR:

1- Enable SSl decryption if you don't want create a policy with SSL as application and in the url profile block the unknown sites.

2-second policy to block TOR by deny application

3-block the unknown App also

Re: Ultrasurf Blocking Fail

cpainchaud — Tue, 04 Mar 2014 23:55:58 GMT

you should also set block on SSL sessions which can't be decrypted (in decryption profile). Ultrasurf makes use of unsupported/unexisting SSL protocol options.