From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 0/3] Add ASN-based anomaly detections to IPFire's web proxy: Proactive Fast Flux detection and detection for selectively announced networks Date: Mon, 05 Jul 2021 19:27:50 +0200 Message-ID: <18ce6cea-a141-c91e-61ca-8fd1b9c4ab01@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6638502992272825058==" List-Id: --===============6638502992272825058== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thank you for your reply. > Hello Peter, >=20 > I love this feature. I think it is a one-of-a-kind thing and hopefully many= more people will think the same. Yes, I like the idea, too. Sometimes, security can be simple _and_ effective.= .. :-) > However, it will need a lot of documentation and explaining. Indeed. I was thinking about a blog post for it; we probably need to explain = Fast Flux in the first place, and I am not sure if all of our users are aware of the existence= of autonomous systems. > I have a couple of high-level questions: >=20 > * Does it make sense to give the user the choice for the threshold? >=20 > It seems to be a difficult question because it requires exact knowledge wha= t this feature actually does. My fears are that people just set this to somet= hing like =E2=80=9C9=E2=80=9D and the feature would become ineffective. What = use-case is there to change this? One size never fits all, I guess. Indeed, the range of useful threshold values is pretty small: Anything below = 4 causes _way_ too much false positives in productive environment, whereas even 7 appears to be = too ineffective. At the moment, the CGI catches values the ASNBL helper would treat itself as = being invalid. Do you think narrowing down this range to 4 to 7 makes sense? Or should we repla= ce it by a dropdown for adjusting sensitivity? Either way, it is a good idea to tell users to leave the default where it is = unless they truly understand what they are doing. > * Selective announcements: Should this necessarily live in the proxy? Why d= o we not generate a filter for the firewall? We can do so as well, and I would love to see such a feature landing in IPFir= e. Given our current state of libloc, I doubt this is possible: We would need a = function that returns all networks we do not have an AS for - to my knowledge, the libloc (bindings= ) do not support this at the moment. Apart from that: On a packet filter level, we lack the FQDN of a destination,= which might be useful to have for debugging or forensic reasons. Also, the users will experience a timeout after n seconds. Having selective a= nnouncement detection turned on, they'll get their error message straight away. I was told this imp= roves UX... :-) Thanks, and best regards, Peter M=C3=BCller >=20 > -Michael >=20 >> On 18 Jun 2021, at 18:24, Peter M=C3=BCller w= rote: >> >> This patchset adds two new features to IPFire's web proxy, taking advantage >> of the Autonomous System information we have at hand by using libloc. >> >> The proactive Fast Flux detection is especially worth noticing, as even mo= st >> expensive (=3D advanced?) security suites do not provide similar protectio= n, >> especially not in a proactive manner. >> >> By simply enumerating the distinct amount of Autonomous System Numbers a F= QDN >> ultimately resolves to, we are able to deny access to malware distribution >> sites, phishing sites, C&C servers, and other cybercrime stuff hosted on F= ast >> Flux setups abusing cracked machines around the world - even before the FQ= DN >> or any IP address involved is flagged as malicious by any security vendor. >> >> Peter M=C3=BCller (3): >> squid-asnbl: New package >> proxy.cgi: Implement proactive Fast Flux detection and detection for >> selectively announced destinations >> langs: Add English and German translations for newly added web proxy >> features >> >> config/rootfiles/common/squid-asnbl | 1 + >> html/cgi-bin/proxy.cgi | 89 +++++++++++++++++++++++++++++ >> langs/de/cgi-bin/de.pl | 7 +++ >> langs/en/cgi-bin/en.pl | 7 +++ >> lfs/squid-asnbl | 83 +++++++++++++++++++++++++++ >> make.sh | 1 + >> 6 files changed, 188 insertions(+) >> create mode 100644 config/rootfiles/common/squid-asnbl >> create mode 100644 lfs/squid-asnbl >> >> --=20 >> 2.26.2 >=20 --===============6638502992272825058==--