*SOLVED* Block Betternet servers

brcisna

Hello All,

EDIT - SOLVED
Believe we have the betternet servers/service  blocked.
AS it turned out using Zenmap to nmap the betternet servers it had a very weird "last hop" to actually contact the betternet server.
Getting this extra last hop ip range/subnet block seems to have block this app.
Hope this may help someone else.
–----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Anyone have any experience with getting Betternet servers blocked?
Honestly just found out about this avaliable App today.
Would appreciate anyones comments.

Thank You,
Barry

KOM

If you can get a definitive list of IP addresses used by their servers, then it's a snap.  Same thing goes if this service uses particular ports to talk.

brcisna

KOM,

Thank You for the reply. This is actually a VPN setup,but seems getting their servers IP address range should do the trick.
From what I've been able to see it hosts on an amazon server cloud?
Guess we'll just have to download the app and try blocking this ip subnet and see if the client machine fails,,,,hopefully.

Thanks again,
Barry

KOM

Guess we'll just have to download the app and try blocking this ip subnet and see if the client machine fails

That's how everyone else does it.

brcisna

Hello All,

I have set up block rules on the firewall for (what I think) is the betternet.co subnet and am still unable to block this website as well as the actual installed App.

Does anyone have any advice on how or what to do next?

I tried setting up a block,,much the same as https for facebook,and simply will not be effective.

Just an FYI. This app acts as a VPN from client to the betternet servers,,then out to internet.

With the client laptop connected to betternet servers via theinstalled app I can surf Facebook where with the app this is blocked,,as expected.

Thanks,
Barry

KOM

You run a test where you run the Betternet software on one of your LAN clients, and do a packet capture for that LAN client's traffic to see how the software is talking.  Use that data to further craft your firewall rules.  It all boils down to either IP addresses or ports.  Global VPN services usually have points of presence in several countries, so you need to literally compile a list of every one of Betternet's nodes, and add them all to an alias, then create a firewall rule to block all traffic to that alias.

You could also try using a domain override to resolve *.betternet.co to localhost.

brcisna

Hello All,

Just trying to keep this post alive.
Have tried wiresharking the client PC, as suggested. Seems it is a never ending cycle of going to a different public IP subnet on betternet server end.
I have done the cumulative ip subnet to an alias for Facebook block (for https) and want to do the same for betternet.
Have looked high and low for possibly a cumulative listing of betternet server subnets but simply can't seem to find anything.

Thanks,
Barry

BBcan177

betternet.com has address 64.29.145.9

AS      | IP                  | AS Name
30447  | 64.29.145.9      | INFB2-AS - InternetNamesForBusiness.com,US

AS30447

64.29.144.0/20
66.175.0.0/18
66.226.64.0/21
66.226.80.0/20
69.49.112.0/23
69.49.112.0/24
69.49.113.0/24
69.49.115.0/24
69.49.116.0/22
69.49.116.0/24
69.49.117.0/24
69.49.118.0/24
69.49.124.0/22
149.115.0.0/16
149.115.16.0/20
149.115.32.0/20
149.115.48.0/20
206.225.88.0/22
207.217.125.0/24
209.235.144.0/21
209.235.152.0/22
209.235.156.0/24
209.235.157.0/24
216.55.128.0/18
216.55.132.0/22
216.55.144.0/20
216.55.172.0/22
216.55.188.0/22

Guest

I understand this is solved, but I don't understand how to get this blocked on my Sonicwall. I'm super new at this so dumbing this down will help me learn.

KOM

Why are you asking a pfSense forum how to do something on your SonicWall?  BBcan177 already provided all of the network addresses used by Betternet.  Go to your SonicWall config and block those networks.

Guest

@KOM:

Why are you asking a pfSense forum how to do something on your SonicWall?  BBcan177 already provided all of the network addresses used by Betternet.  Go to your SonicWall config and block those networks.

Why did I ask? Because I did.  Thanks for being a dick though. It really is true! Open Source guys are big assholes.

KOM

Thanks for being a dick though. It really is true! Open Source guys are big assholes.

Have a nice day.

brcisna

Just to clarify.

betternet VPN/ Proxy bypass URL is actually : betternet.co NOT betternet.com  as BBcan117 has ip/subnets for.
So the displayed ip subnets are not effective for blocking betternet VPN/Proxy bypass.
Hope this helps.

Barry

BBcan177

host -t A betternet.co
betternet.co has address 54.164.234.179
betternet.co has address 52.0.79.127

AS        | IP                      | AS Name
14618  | 54.164.234.179  | AMAZON-AES - Amazon.com, Inc.,US

Probably going to have issues blocking these IPs as its using Amazon…

Non-Aggregated

A3103
66.7.64.0/19
63.92.12.0/22
63.238.12.0/22
63.238.16.0/23
208.47.248.0/23
209.201.96.0/22
50.19.128.0/17
107.20.0.0/16
107.22.0.0/16
107.21.0.0/18
54.212.0.0/16
54.240.24.0/22
54.253.128.0/17
54.221.0.0/16
54.211.0.0/16
54.213.0.0/16
54.215.192.0/18
54.219.0.0/17
54.202.0.0/15
23.20.0.0/15
107.23.0.0/17
23.22.0.0/15
54.200.0.0/15
54.229.128.0/17
54.207.0.0/17
54.238.128.0/17
54.207.128.0/17
54.204.0.0/15
54.206.0.0/17
54.220.0.0/16
54.219.128.0/18
54.199.0.0/17
54.194.0.0/16
54.255.0.0/17
54.219.192.0/18
54.196.0.0/15
54.193.0.0/17
54.255.128.0/17
54.84.0.0/15
54.178.0.0/17
54.72.0.0/16
54.186.0.0/15
54.242.0.0/15
54.240.8.0/21
54.184.0.0/15
54.195.0.0/16
54.193.128.0/17
54.198.0.0/16
54.80.0.0/14
54.206.128.0/17
54.199.128.0/17
54.73.0.0/16
54.86.0.0/16
54.188.0.0/15
216.182.224.0/21
216.182.224.0/20
216.182.232.0/21
67.202.0.0/18
72.44.32.0/19
75.101.128.0/17
54.234.0.0/15
107.23.128.0/17
50.16.245.0/24
54.236.0.0/18
174.129.0.0/16
107.21.64.0/18
107.21.128.0/17
54.237.0.0/16
54.228.0.0/16
54.232.192.0/18
54.249.64.0/18
54.241.192.0/18
54.241.160.0/19
54.249.128.0/17
54.244.128.0/17
54.236.64.0/18
54.236.128.0/17
54.224.0.0/15
204.236.224.0/19
204.236.192.0/18
184.73.0.0/16
184.72.128.0/17
54.253.0.0/17
54.215.0.0/17
54.244.64.0/18
54.214.0.0/17
54.250.0.0/17
54.250.128.0/18
184.72.64.0/19
54.216.0.0/15
54.208.0.0/15
54.226.0.0/15
54.229.0.0/17
54.232.128.0/18
54.215.128.0/18
54.214.128.0/17
54.240.16.0/24
184.72.96.0/19
54.254.0.0/17
54.218.0.0/17
54.218.128.0/17
54.250.192.0/18
54.254.128.0/17
54.238.0.0/17
50.16.252.0/22
50.17.0.0/16
50.19.0.0/17
54.156.0.0/14
54.151.0.0/17
54.93.32.0/19
54.93.64.0/18
54.93.0.0/19
52.0.0.0/15
54.93.128.0/17
52.64.0.0/17
52.8.0.0/16
185.48.120.0/22
54.95.0.0/17
54.79.0.0/17
54.94.0.0/17
54.87.0.0/16
54.76.0.0/15
52.10.0.0/15
54.152.0.0/16
54.153.0.0/17
54.153.128.0/17
52.16.0.0/15
52.74.0.0/16
54.183.0.0/17
54.176.0.0/15
54.74.0.0/15
54.95.128.0/17
54.89.0.0/16
54.90.0.0/15
54.191.0.0/16
54.233.64.0/18
54.233.128.0/17
52.12.0.0/15
52.28.0.0/16
54.190.0.0/16
54.88.0.0/16
54.179.128.0/18
54.94.128.0/18
54.210.0.0/16
52.68.0.0/15
52.4.0.0/14
52.24.0.0/14
54.92.0.0/17
54.64.0.0/15
54.183.128.0/17
96.127.64.0/18
54.166.0.0/15
54.92.128.0/17
54.164.0.0/15
52.76.0.0/17
54.168.0.0/16
54.68.0.0/15
54.70.0.0/15
54.78.0.0/16
54.179.192.0/18
54.66.0.0/17
54.160.0.0/14
52.2.0.0/15
52.95.52.0/22
54.169.0.0/17
52.18.0.0/15
54.66.128.0/17
54.172.0.0/15
54.171.0.0/16
54.170.0.0/16
54.67.0.0/17
54.174.0.0/15
54.169.128.0/17
54.94.192.0/18
54.144.0.0/14
54.148.0.0/15
54.151.128.0/17
54.150.0.0/16
54.93.0.0/16
54.79.128.0/17
54.178.128.0/17
54.154.0.0/16
54.155.0.0/16
52.20.0.0/14
52.95.241.0/24
52.95.243.0/24
52.95.242.0/24
52.95.244.0/24
52.95.245.0/24
52.95.240.0/24
52.95.246.0/24
52.95.247.0/24
52.64.128.0/17
52.29.0.0/16
52.88.0.0/15
52.70.0.0/15
52.72.0.0/15
52.86.0.0/15
52.90.0.0/15
54.223.32.0/19
54.223.64.0/18
52.30.0.0/15
52.95.248.0/24
52.32.0.0/14
52.76.128.0/17
52.77.0.0/16
52.9.0.0/16
52.52.0.0/15
52.192.0.0/15
23.20.0.0/14
50.16.0.0/16
50.16.0.0/14
50.112.0.0/16
52.65.0.0/16
52.62.0.0/15
52.48.0.0/14
198.18.84.0/23

Aggregated

23.20.0.0/14
50.16.0.0/14
50.112.0.0/16
52.0.0.0/13
52.8.0.0/14
52.12.0.0/15
52.16.0.0/12
52.32.0.0/14
52.48.0.0/14
52.52.0.0/15
52.62.0.0/15
52.64.0.0/15
52.68.0.0/14
52.72.0.0/15
52.74.0.0/16
52.76.0.0/15
52.86.0.0/15
52.88.0.0/14
52.95.52.0/22
52.95.240.0/21
52.95.248.0/24
52.192.0.0/15
54.64.0.0/15
54.66.0.0/16
54.67.0.0/17
54.68.0.0/14
54.72.0.0/13
54.80.0.0/12
54.144.0.0/12
54.160.0.0/12
54.176.0.0/15
54.178.0.0/16
54.179.128.0/17
54.183.0.0/16
54.184.0.0/13
54.193.0.0/16
54.194.0.0/15
54.196.0.0/14
54.200.0.0/13
54.208.0.0/13
54.216.0.0/14
54.220.0.0/15
54.223.32.0/19
54.223.64.0/18
54.224.0.0/14
54.228.0.0/15
54.232.128.0/17
54.233.64.0/18
54.233.128.0/17
54.234.0.0/15
54.236.0.0/15
54.238.0.0/16
54.240.8.0/21
54.240.16.0/24
54.240.24.0/22
54.241.160.0/19
54.241.192.0/18
54.242.0.0/15
54.244.64.0/18
54.244.128.0/17
54.249.64.0/18
54.249.128.0/17
54.250.0.0/16
54.253.0.0/16
54.254.0.0/15
63.92.12.0/22
63.238.12.0/22
63.238.16.0/23
66.7.64.0/19
67.202.0.0/18
72.44.32.0/19
75.101.128.0/17
96.127.64.0/18
107.20.0.0/14
174.129.0.0/16
184.72.64.0/18
184.72.128.0/17
184.73.0.0/16
185.48.120.0/22
198.18.84.0/23
204.236.192.0/18
208.47.248.0/23
209.201.96.0/22
216.182.224.0/20

jdusablon

May we know how this list of IPs can be updated? whois just lists 52.0.0.0/11….

homerzzzpf

Can someone help with blocking betternet?

I tried to block access to the following, but it doesn't work.
54.164.234.179
52.0.79.127

When I run the following, I get a different IP than previously posted:

host -t A betternet.co
betternet.co has address 146.112.61.104

Thanks!

KOM

Did you read any of the previous posts in this thread??  Betternet has a lot more IP addresses than just those two you listed.

homerzzzpf

I wasn't sure if it was necessary to block all of those IPs. I'll give that a go. Thanks for the reply KOM.

cbii

Wow. That's all I can say. Not only are the "hero members" here rude, they are terrible at their job. The proper way to find out how to block this app is not to use zenmap on the client. You should be looking at firewall logs filtered by the client's IP. If you listen to the "heros" here you are blocking huge blocks of AWS (legit websites) and IP blocks that aren't even pulic. I was hoping to google up a quick fix before I installed it and watched it, and this isn't it.

BBcan177

@BBcan177:

host -t A betternet.co
betternet.co has address 54.164.234.179
betternet.co has address 52.0.79.127

AS        | IP                      | AS Name
14618  | 54.164.234.179  | AMAZON-AES - Amazon.com, Inc.,US

Probably going to have issues blocking these IPs as its using Amazon…

For Betternet, its not so easy to block as its intermingled in Amazon, as per my previous post.

I don't use betternet, but some google searching didn't return any lists of IPs… If your going to watch the firewall logs, its also going to be hit and miss...