Block PSIPHON 3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block PSIPHON 3

L5 Sessionator

Hi all,

 

Does anybody already try with success to block Psiphon (https://www.psiphon3.com) ?

It's quite easy when psiphon is configured in VPN mode but how can I do that when VPN is not used ?

 

Thanks in advance for sharing.

 

V.

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi all,

 

After opening a case, the answer is: Decryption enabled (blocking unsupported cypher-suite) + denying 'psiphon' application in security policy should be enough.

 

Need to be tested.

 

V.

View solution in original post

13 REPLIES 13

Cyber Elite
Cyber Elite

Hello,

If you use some kind of web filtering, this should be able to block it on your network. I just checked the PAN-DB-URL and that url is:

 

URL
psiphon3.com
Category
Computer and Internet Info
 
So if the product, I dont know its workings, uses the same URL, you should be able to block it.

Hi,

 

URL filtering can't be used because after "installing" the psiphon client, you need to initiate connexion.

These connexions are based on SSL then no URL filtering ... 😞

 

V.

 

Hello,

I do not know how the client works so I cannot see the traffic for myself. However you should still be able to see the URL's eventhough the traffic is SSL. Perhaps a submission for application detection is in order?

 

Custom signatures:

https://live.paloaltonetworks.com/t5/Documentation-Articles/Custom-Application-Signatures/ta-p/58625

 

Submit an application:

http://researchcenter.paloaltonetworks.com/submit-an-application/

 

Hope this helps...

Just in case you do use URL filtering:

 

URL: www.psiphon3.com
Previous category: computer-and-internet-info
You suggested: proxy-avoidance-and-anonymizers
New category: proxy-avoidance-and-anonymizers
The new categorization is available starting with URL DB version: 2015.09.22.220

 

Regards,

HI,

 

Thx for your help.

But it seem it's not enaugh for blocking psiphon 😞

I ask for new app.

 

V.

L5 Sessionator

Hi all,

 

After opening a case, the answer is: Decryption enabled (blocking unsupported cypher-suite) + denying 'psiphon' application in security policy should be enough.

 

Need to be tested.

 

V.

Hi, can you elaborate more of your settings?

 

Decrypting all or just specific sites/url categories?

Hi everyone.

In my experience SSL decryption and blocking the application Psiphon was not enough, it was only the first step. Psihon was stll able to connect. I discovered that Psiphon creates a Proxy service on localhost and changes proxy settings in browser to redirect browser traffic over Psiphon application. Psiphon application then forwards the traffic to the internet by its own sneaky methods:) I did Wireshark analysis and discovered that after SSL connection was blocked by PAN, Psiphon created a gzip encoded streaming tunel over tcp port 80 and PAN recognised it as "web-browsing" which was allowed. I tried to create a custom application but without success.

We successfully blocked the Psiphon by implementing SSL Decryption, blocking Psiphon application in the security policy and also by preventing users from changing their proxy settings using domain group policy.

Creating custom application signature for port 80 traffic and blocking it in the security policy on PAN would be more elegant but my signature caused too many false positives and it was easier to create a group policy.

 

LPM

L1 Bithead

Hello,
from my testing, blocking just Psiphon while using decryption was not enough. If you leave the client to try and connect long enough, it will still connect.
The best results I've got was by blocking the following:
http-proxy
ike
ipsec (not ipsec-udp)
l2tp
psiphon
ssh
ssh-tunnel
unknown-tcp

with application-default

Regards,
Stavros

Community Team Member

There's actually an article about how to block psiphon :

 

How to Block the Psiphon application

 

If you feel it is incorrect please leave a comment there for review.

 

Hope this helps. 

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Was it ever stated which category you need to decrypt?  I dont want to decrypt anything except for what it takes to stop Psiphon.

L2 Linker

Hi

I could block the Psiphon, with a security policy denying in application "psiphon/unknown-tcp/ssh" and SSL decrypt and to avoid the AutoProxy I made this

 

Click Run, and type regedit to open the Registry Editor. Find and open HKEY_CURRENT_USER\Software\Psiphon3, and on the right side you will see SkipProxySettings. Set this value to 1 and Psiphon will not automatically configure the system proxy settings. 

 

 

Hi,

additionally the unknown-udp application needs to be updated.

  • 1 accepted solution
  • 24661 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!