This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to block Psiphon traffic - miscategorized as "Unauthorized Hotspot Client"

We have a number of users that are using Psiphon to bypass our web filter and Wifi voucher system. Although the UTM has an application profile for Psiphon, it doesn't appear to work properly. For the locations that I know are using Psiphon, there is no traffic being logged under the application category. Instead, I am seeing tens of gigabytes of traffic being categorized as "Unauthorized Hotspot Client". My understanding is that "Unauthorized Hotspot Client" should only be logged when a user tries to go online but they don't have a valid wifi voucher, so need to enter the code.

Looking at the packet logs, Psiphon appears to be tunneling using port 53 (DNS) which the UTM seems to be allowing through weather they have a voucher or not. I obviously can't block port 53, and the UTM isn't categorizing the traffic properly either, so my only solution is to see which clients have excessive traffic being logged as "Unauthorized Hotspot Client" and blocking them by MAC.

Our ISP can identify the traffic, which is how we know it's Psiphon, so why can't the UTM? Is this a bug?

 

UTM Details:

SG 115

Firmware: 9.41.3-4

Pattern: 131447



This thread was automatically locked due to age.
  • I hope you are worki lng with Sophos support on this, since none of us can fix bugs.

    You probably can block port 53.   If your network follows the DznS best practices, all legitimste DNS queries should be relayed through UTM.  

    I think you will ned a furewall rule to allow all non-internet addresses to UTM port 53, and UTM to Any port 53.  (Replies to UTM should be allowed by the connection tracker). Then the final rule blocks Any-to-Any port 53

    Need to do it for both tcp and udp, at a low-risk time slot, and test thoroughly.