Forum Discussion

Nimbostratus

Oct 10, 2012

How to Blocking ULtrasurf?

Hi All, Is there any irule or configuration on F5 for blocking ultrasurf? I try to use ip intelegence irule on LTM,it did not work because the destination ip address is not registered as bad r...

app sec

BIG-IP Access Policy Manager (APM)

security

hoolio

Cirrostratus

Oct 11, 2012

Also, I'm not sure if you want to continuously collect the payloads. Can you collect enough bytes just once in the initial connection to find the bad byte pattern?


when CLIENT_ACCEPTED {
if { [class match [IP::local_addr] equals block_ip_ultrasurf ] } {
log local0. "block ip = [IP::local_addr]"
drop
} elseif {[TCP::local_port] == 443} {
TCP::collect 100
}
}

when CLIENT_DATA {
binary scan [TCP::payload] H* payload_hex
log local0. "payload_hex ([string length $payload_hex] chars) = $payload_hex"

if {[class match $payload_hex contains signature_clientsslhello]} {
drop
}
TCP::release
}

Aaron

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

How to Blocking ULtrasurf?

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Is it possible to create a Single Pool with multiple ports ?

F5 object groups in AFM

Round-robin method not load balanced

F5 ASM with fortisandbox

Disabling signature for a URL

Related Content

Block IP after a number of ASM Blocks

Massive DDoS, DanaBot Dismantled, Scraped Discord Messages and Signal Blocks Windows Recall

Block traffic

domain blocking

Understanding F5's Transparent Mode vs Blocking Mode with a Focus on Geo-Blocking

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS