Hi All,
Currently a Sysadmin within a school. I am having some trouble at the moment blocking Hotspot shield. Have tried a few options in blocking this but I am not having any luck. Currently have a Fortigate inline, attempted to use their signature without any prevail. Is anyone aware of any products/services or appliances that can successfully stop Hotspot shield in its tracks?
Please use the Application Control signature “Hotspot.Shield” to block the VPN. You will need to set the following signatures to Block too: “ISAKMP”, “PPTP” and “L2TP”. They are used on the iOS app to connect to the servers. Hotspot Shield VPN is one of the most evasive VPN, be sure to update your IPS Definition whenever a new one is available.
When you figure this one out, you might want to contact the Chinese Government because they can’t figure this out either.
I work in a school also and we have problems with students using Astrill. The main issue with a lot of them is they use multiple different VPN servers e.g. OpenVPN, OpenConnect.
At this stage it is a disciplinary issue and no longer a technical one.
You might also want to try over in /r/k12sysadmin since a lot of schools fight with that app pretty regularly.
Could be hard to do if there are no reliable ways of gathering a list of hostnames they use for their servers.
And some VPN services allow a fallback to port 443 if the client encounters a restrictive firewall.
I know of a few people with similar issues. Its a multilevel problem.
Hotspot shield as in the google extension? Blacklist all extensions and force install what you need.
Local admin? No.
EMET is an option, you can also most likely modify the local antivirus to disallow vpn.
Can you try blocking via DNS? Can try blocking *.hotspotshield.com.
Also, have you tried looking up the ASN of the IP you did find and just block every single subnet in that ASN? You can check bgp.he.net to check the ranges under the ASN(s)
What are they trying to access that they need this for? Perhaps your blocking is too strict.
SSL interception with blocking of certificate common name perhaps?
I have DNS infrastructure in place already for redirecting BYOD traffic to on premise services. When the Fortigate isn’t quite doing what I need it to I can pop in DNS blackhole entries to shore things up.
Having consistent DNS resolution is essential for FQDN blocking in any case, so if you don’t have it already you should build out the functionality. Could be as lightweight as DNSMASQ on a linux VM, or heavy as AD integrated DNS on windows. For K-12 opendns might not be a bad option.
You can’t. VPNs are getting increasingly sophisticated. UltraSurf is a great example.
You can solve this problem with SafeConnect, actually. I’ve created policies for both Hotspot and Psyphon that will block the endpoint when they launch either service.
Full disclosure: I work for Impulse.
Quite a newbie here, but would it work by disabling VPN passthrough on the outbound router ?
Saw this response on their forum too.
Unfortunately this does not do the trick.
For your issues wouldn’t you just be able to use OpenVPN or other signatures on your filtering solution? We don’t have many issues with things like OpenVPN etc, it’s just things like Hotspot shield and Ultrasurf.
If only it was easy to discipline a few hundred students haha.
Thanks, have dropped a post over there as well.
I found that they use some SSL trickery to show the hostname as legitimate websites such as paypal.com or emirates.com. All their traffic seems to go on 443 by default.
Already got the extension side covered. However that only applies to accounts in our google domain. No way to prevent users from logging into their own chrome account in the browser and installing the extension.
You are right in that it is definitely a multi level issue though
As i’ve mentioned in other comments, traffic goes out with legitimate hostnames (paypal.com, emirates.com, etc).
Guess I could try blocking the whole EGI Hosting subnets advertised from their AS however the IPs used are changing daily by the seems of things.
EDIT: Here is an example it masquerading as legitimate websites. https://imgur.com/a/zVppH
Social Media, Games, just non school related content. Our filtering is relatively relaxed compared to that of some of the other schools in the area.