GUIDE TO COMPLETELY BLOCKULTRASURF IN A MIKROTIK NETWORK WHAT IS ULTRASURF? Ultrasurf is a proxy-type program developed by Ultrareach Internet Corporation, to surf the internet "anonymously" and achieve mask the IP address to jump almost any access restriction set out in the local network. When run, it connects to its servers via secure connections and creates a kind of "VPN" through which it will pass all traffic and so mocks the strictures imposed on the network. The firewall will only have connections to a single address, UltraSurf, being encrypted, it can not see what kind of traffic is going on out there, this allows us to enter unauthorized or blocked pages in our region. It is a very famous program on university environments, schools, private companies, government institutions, call centers and many other places where people need to enter or improper sites that have not been authorized by its administration. GETTING DEEPER: Ultrasurf, uses many methods to connect to their servers and not be detected by security systems. Almost no firewall does intervene secure connections so it is the first mode you use. If it can not find primary servers, will try to locate their secondary servers. Finally, their tactic is to go through other servers to reach their destination, they would be those who are almost never blocked or denied, those of google, amazon, CloudFront, among others. When connected with Ultrasurf, it enters a "Internet cloud" where other users are online and automatically, the user becomes a host and will help other people achieve their connection, through ours. This seriously compromises the security of the network, the user can become infected with any malware. As previously mentioned, initially connections are created by the TCP 443 port to communicate with their primary and secondary servers, then to find domains most commonly used, performs DNS requests, UDP port 53, even tries to get addresses making requests NBNS by the UPD port 137. Steven Vega Ramírez – MTCTCE
[email protected] San José, Costa Rica March 2016 1 221.0/18 216..0/24 104. Costa Rica March 2016 Mail.0.com tfn.64.net He.0/17 64.0/16 209.net DigitalUnited.0.0/16 69.com Amazonaws.ULTRASURF SERVERS: Primaries: They are housed in the company CloudFlare.249.0/16 66. so its DNS consult the following names: Google.20.97.160.google.0.0/17 66.0/24 Secondary: Those come from a North American Center called CoreSpace.0/16 216.128.62.182.20.13.net Steven Vega Ramírez – MTCTCE stevenvegar@gmail. The blocks of these servers are: 104.164. would be the: 63.net. a data center that specializes in providing services similar to UltraSurf proxy.com San José.com Cloudfront.61.0/19 Terciarios: We have identified several domains that UltraSurf tries to connect. are summarized as possible.0.tw Hinet.0.34.221.nl 2 . which use hundreds and hundreds of IPs. but do not have the IP address. Graphically we can understand a little better how it works: What actions we will take: Steven Vega Ramírez – MTCTCE stevenvegar@gmail. Costa Rica March 2016 3 .com San José. as long as the change does not affect them local proxy that does UltraSurf." Then. because those are not significant or have not relevant service.com San José. It has been tested more than 100 consecutive times with the same result. UDP port 53. these packages will brand them "UltraSurf". we discard all DNS traffic. I will explain in detail the most effective and reliable. because we would be denied access to DNS port and can not resolve the name of any domain. Finally. which will name "UltraSurf Users Drop" where it will collect the source addresses when someone is trying to connect to "UltraSurf CloudFlare" servers and will remain on that list for 30 seconds. in both senses of the "address list" "UltraSurf Users Drop" and thus deny only for 30 seconds user navigation. Costa Rica. Greetings from San José. also to show that the Mikrotik devices are the best. we establish a rule for the firewall discard or "drop" all connections which have as their origin "UltraSurf Users Drop" and destination "UltraSurf CloudFlare. users who try to use UltraSurf. We will create a static "address list" where will have the addresses of the primary servers called "UltraSurf CloudFlare. Any additional questions can be reached via email. Steven Vega Ramírez – MTCTCE stevenvegar@gmail. with several versions of the program. I hope this guide helps someone you need to do this procedure on a network. the date of March 2016. With this configuration. Costa Rica March 2016 4 .BLOCKING PROCEDURE There are several ways to prevent a user from the local network can not access servers UltraSurf. Additionally we can establish an "address list" where enter all IP addresses that have tried to connect to "UltraSurf CloudFlare" but did not specify discard time. Other services or applications that communicate by other ports will not be affected during those 30 seconds. and will be marked and the network administrator will know who are the users who try to outwit and overcome the network security. Next. After this. we will do several rules to mark the packets that are destined for the secondary servers from any IP from our LAN. their navigation will be out only 30 seconds. we will make a rule to discard all packages containing the mark "Ultrasurf"." Then we'll do another dynamic "address list". 97.164.0/16 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=209.0/16 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=69.SCRIPT FOR BLOCKING ULTRASURF /ip firewall address-list add address=104.0.0.64.34. Costa Rica March 2016 5 .com San José.20.0/16 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=66.20.0.0/24 list="UltraSurf CloudFlare" add address=104.0/24 list="UltraSurf CloudFlare" /ip firewall filter add action=add-src-to-address-list address-list="UltraSurf Users Drop" address-listtimeout=30s chain=forward comment="UltraSurf Users Drop" dst-address-list="UltraSurf CloudFlare" add action=add-src-to-address-list address-list="UltraSurf Users" chain=forward comment="UltraSurf Users" src-address-list="UltraSurf Users Drop" add action=drop chain=forward comment="Drop UltraSurf CloudFlare" dst-addresslist="UltraSurf CloudFlare" add action=drop chain=forward comment="Drop UltraSurf CoreSpace" packetmark=UltraSurf add action=drop chain=forward comment="Drop UltraSurf Users" port=53 protocol=udp src-address-list="UltraSurf Users Drop" /ip firewall mangle add action=mark-packet chain=prerouting comment="CoreSpace UltraSurf" dstaddress=63.249.61.0/18 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=216.0/16 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=66.128.221.0/17 new-packet-mark=UltraSurf add action=mark-packet chain=prerouting dst-address=64.0/17 new-packetmark=UltraSurf add action=mark-packet chain=prerouting dst-address=216.160.0.0/19 new-packetmark=UltraSurf Steven Vega Ramírez – MTCTCE
[email protected]. UltraSurf Users IPs: Firewall Filter denying connections to UltraSurf servers: Firewall Mangle. marking packets of UltraSurf CoreSpace servers Result Steven Vega Ramírez – MTCTCE
[email protected] List. CloudFlare IPs.com San José. Costa Rica March 2016 6 .