How do I block Psiphon?

06/21/2023 90 People found this article helpful 485,235 Views

Description

This article describes how to block the Psiphon application by enabling DPI-SSL Client, and app control signatures.

NOTE: Psiphon application is constantly being updated and therefore SonicWall blocks are a 'best-effort' practice, which means that a 100% blocking success rate is not guaranteed, this is due to multiple factors including new patterns, domains registered, proxy server IPs, etc.

Application updates may result in being able to bypass the SonicWALL detection mechanisms, the SonicWall Engineering team is working to ensure that any new update is immediately met with a new signature update as well as quickly as possible to block these connection attempts.

SonicWall is working to develop a robust mechanism that can identify and restrict such applications. This article will be updated with the latest information as we move forward.Psiphon is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide uncensored access to internet content. Psiphon does not increase online privacy and should not be considered or used as an online security tool.

NOTE: In some cases, Psiphon 3 will continuously keep connecting and disconnecting. During this time the end-user will not be able to connect to external websites or be able to manage the firewall. This is due to Psiphon modifying the end-users proxy settings which are used to access the network. If the Psiphon application does not exit properly it may not correctly restore the original proxy settings which will prevent access to the network.

Resolution

To block Psiphon:

Enable DPI-SSL Client Inspection. Enable DPI-SSL Client Inspection by going to the Manage tab and then to Deep packet Inspection | SSL Client Deployment and selecting Enable SSL Client Inspection. Ensure that IPS, GAV, Spyware, and Application Firewall are selected.
Enable App Control "Psiphon" signatures, all. Enable all Psiphon application signatures by going to the Manage tab and then to Rules | Advanced Application Control. Select the category PROXY-ACCESS and application Psiphon. Configure the application to be blocked and logged.
Enable (block) App Control "Encrypted Key Exchange" Random Traffic for TCP (SID 5) and UDP (SID 7).
Enable (block) App Control "SSH -- Client Request Outbound" (SID 10097), or alternatively, create Access Rule to block outbound TCP/22 SSH Service from this LAN->WAN.
Enable (block) App Control "HTTP Protocol -- Range Header" (SID 6872).
Enable App Control "ISAKMP" signatures, or create Access Rule to block outbound udp/500 from LAN to WAN (IPSec VPN mode).
Enable App Control "Google QUIC" signatures.
Create Access Rule to block outbound TCP/53 (DNS) from LAN to WAN.
Create Access Rule deny rule outbound UDP/53 (DNS) from LAN to WAN, and a second, allow rule to permit all necessary DNS traffic, but only to known good DNS servers being used;
Create Access Rule to block all outbound UDP ports below 1025 from LAN to WAN, with exception noted above;