Ultrasurf is an application that allows users browse anonymously throws transparent proxys. All the traffic is routed encrypted throws SSL(Secure socket layer) by port 443. This well- known protocol is used by thousands of web pages that let you browse secure for e-shopping , bank consulting and things that requires more private communications. Obviously firewalls usually doesn’t block this kind of traffic because this will be a nightmare for the vast majority of users. In my case this software is used by my students to overpass the web page restrictions applied by the high School firewall. For example is forbidden use social networks like facebook or tuenti, but with this application (ultrasurf) it can be easy pass over this restrictions when is installed in pupils computers.
I have been researching in internet and finally I have found a good way to restrict only the traffic generated by ultrasurf and allow the rest of SSL traffic pass the firewall.
First of all I’ve downloaded wireshark protocol analyzer in a computer with ultrasurf installed. When I have begun to capture network traffic I’ve realized that ultrasurf has started to generate a lot of traffic in port 443 (ssl protocol). Looking at the ‘Client Hello’ frame that is used as a hand shake by SSL protocol I’ve realized that all packets sent by wireshark follows the same pattern in all "Client hello" frames the following hex sequence is repeated "16 03 01 00 41 01 00 00 3D 03 01 … ". This traffic is encrypted and I don’t know what hell means but I’ve been comparing traffic with other web pages with SSL enabled and I discovered that ins his "Client Hello" frames they are sending other information.
With this usefull information in my hands It’s only a matter of fact start to try with firewall rules applied at layer 7 level.
For example with this iptables rule that filters and capture all traffic that is sent by SSL and with the hex sequence 16030100410100003d0301 inside in is enough to drop only ultrasurf generated network traffic
iptables -I FORWARD -m tcp -p tcp –dport 443 -m string –to 256 –hex-string ‘|16030100410100003d0301|’ –algo bm -j DROP
If ultrasurf is using another port you can try with this
iptables -I FORWARD -m tcp -p tcp –tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string –to 256 –hex-string ‘|16030100410100003d0301|’ –algo bm -j DROP
And if your firewall is a router OS based one try this:
/ip firewall layer7-protocol
add name=ultrasurf regexp="^\16\03\01\00\41\01\00\00\3D\03\01"
/ip firewall mangle
add chain=prerouting action=add-dst-to-address-list protocol=tcp address-list=ultrasurf \
address-list-timeout=0s layer7-protocol=ultrasurf in-interface=lan dst-port=443
Obviously this is not the definitive rule, in newer versions of ultrasurf maybe if this firewall rules become popular this will be changed.
Useful source: http://awarmanf.wordpress.com/