How to block AnyDesk at the router level?

okjaeo2020-06-05 16:31:47

Mikrotik

okjaeo, 2020-06-05 16:31:47

On Mikrotik, blocking TeamViewer, AmmyAdmin, Supremo through a regular expression in layer7 and package marking works, but AnyDesk still connects, although the site does not open.
I have already registered static DNS records for *.net.anydesk.com, in WireShark on the computer I found DNS requests to api.playanext.com and soflopxl.com, blocking them also does not help.
How does it bypass restrictions and how to block it?

Answer the question

In order to leave comments, you need to log in

6 answer(s)

paxlo, 2020-06-06
@paxlo

Addresses do not need to be blocked, this is stupid. they can change at any time, you need to block hostnames in their entirety with all subdomains. Anydesk is easily blocked with a regular expression like
"^.*(rl.ammyy.com|www.ammyy.com|anydesk.com|etc).*\$
" tcp / udp port - less load than checking all packets via L7 directly in filter. What else is important is to lock the use of any dns except for the IP router. Some software can not look at system DNS, but use free ones to determine the IP of the desired host.

Roman Kulakovich, 2020-06-06
@Wernisag

Isn't it easier to block the application itself via UAC on workstations? You can both pointwise on a specific computer, and through group policies, roll out to all

d-stream, 2020-06-05
@d-stream

Clumsy option: on a win computer running anydesk
netstat -a - b -n (well, or netstat -a - b -f for fqdn)
and there we see
[AnyDesk.exe]
TCP 192.168.138.22:6088 52.114.128.74 :443 ESTABLISHED
True there is a high probability that more than one address is used and whois says that this is a microsoft grid (

CityCat4, 2020-06-05
@CityCat4

I wonder what model Mikrotik. When I turned on L7 to block TeamViewer, rb2011 immediately got up with cancer.
teamviewer collected a bunch of addresses for such purposes - are you sure you blocked them all? :) He first tries the port, then starts sorting out the addresses. I'm sure AnyDesk does exactly the same.
Put the client on a test wheelbarrow and sniff on a Mikrotik - that will be the process of establishing a connection. And then distribute the *.anydesk.com resolve script over the entire IPv4 space - or maybe someone already has it...

avk013, 2020-08-15
@avk013

Get addresses from host relays.net.anydesk.com
[bash#]host relays.net.anydesk.com
there are currently 391 addresses.
https://habr.com/ru/post/514336/
on the next script to fasten to the firewall or blackhole on the router

Povarinio, 2022-04-20
@Povarinio

Good afternoon, I used this variant {
/ip firewall layer7-protocol
name="anydesk_host" regexp="^.+(anydesk).*\$"
/ip firewall mangle
chain=postrouting action=mark-connection
new-connection- mark=anydesk-conn-mark
passthrough=no layer7-protocol=anydesk_host out-interface-list=WAN log=no
log-prefix=""
chain=prerouting action=mark-routing
new-routing-mark= anydesk-route-mark
passthrough=no connection-mark=anydesk-conn-mart
log=no log-prefix=""
/ip route rule
routing-mark=anydesk-route-mark
action=unreachable