Ultrasurf is a proxy-based tool that hides the identity of the user, thereby bypassing the firewalls. Juniper Standalone IDP, SRX-IDP, and ISG-IDP can be used to block Ultrasurf traffic; this article provides the information on how to achieve that task.
How to block Ultrasurf.
Currently the IDP/IPS cannot detect the actual Ultrasurf traffic itself. However, Ultrasurf version 12.10 and above can be blocked using the signature SSL:AUDIT:NOT-SSL in the IDP policy. This signature detects TCP sessions that are not SSL, but are using the default SSL port of 443. It can, however, block legitimate traffic if the programs are using non-SSL sessions on port 443.
Example IDP policy on SRX:
idp-policy P2P { rulebase-ips { rule ultrasurf { match { application default; attacks { predefined-attacks SSL:AUDIT:NOT-SSL; } } then { action { drop-connection; } notification; root> show security idp attack table IDP attack statistics: Attack name #Hits SSL:AUDIT:NOT-SSL 2
Notes:
- The signature SSL:AUDIT:NOT-SSL is applicable for Standalone IDP, ISG IDP, and SRX IDP, so Ultrasurf 12.10 can be blocked on all these platforms.
- APPSecure features on the SRX platform provide Ultrasurf-specific signatures to block the traffic as well as download of the Ultrasurf client.