tprendergast Thu, 09/24/2009 - 10:22
User Badges:
  • Silver, 250 points or more

There are a few ways.


1) Install the product, fire up a sniffer, launch the product, identify the subnets it talks to for their proxy servers. Block those by IP.

2) Block these IP Ranges (allocated to them by ARIN)

Ultrareach Internet Corp EVRY-229 (NET-67-15-183-0-1) 67.15.183.0 - 67.15.183.127

UltraReach Internet Corp. EVRY-231 (NET-67-15-151-64-1) 67.15.151.64 - 67.15.151.127


3) Put a null route to those networks in at your edge or inside network so the traffic goes nowhere.


You can get more ideas, but that is a good start. Basically, Ultrasurf uses an encrypted connection to a set of proxy servers in their IP space. If you cutoff access to their IP space, you are effectively neutering their product and making it useless.


Cheers,

Tim

andre.ortega Thu, 09/24/2009 - 10:46
User Badges:
  • Bronze, 100 points or more
  • Participante em Destaque,

    Escolha da Audiência, Maio de 2015

Not work because the ip range every change. Here ultrasurf is using 65.49.2.121 now.

Regards.

tprendergast Thu, 09/24/2009 - 11:02
User Badges:
  • Silver, 250 points or more

Watch the packet capture... it must be doing a DNS query to resolve those IP addresses. Look into the DNS packet and block all IPs associated to that A-record, or put in an A-record for that DNS name on your DNS servers and send it to 127.0.0.1. This will blackhole the client.


The Pix, without deep packet inspection for URLs, won't be much help here.


You could enable the URL filtering with Websense and see if they block it, but that would be about as much as you could do.



Actions

This Discussion