From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] proxy.cgi: Implement proactive Fast Flux detection and detection for selectively announced destinations Date: Mon, 05 Jul 2021 19:31:51 +0200 Message-ID: <5f71c08a-fc6d-b238-bcd9-716e45949078@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0343454494076666705==" List-Id: --===============0343454494076666705== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, > Hello, >=20 >> On 18 Jun 2021, at 18:24, Peter M=C3=BCller w= rote: >> >> This patch adds two new features to IPFire's web proxy: >> >> (a) Proactive Fast Flux detection >> FQDNs are resolved to their IP addresses, which are then resolved to >> corresponding Autonomous System Numbers using IPFire's location >> database. Most destinations will scatter across a very low number of >> ASNs (not to be confused with IP addresses!). FQDNs hosted on Fast >> Flux setups have a significantly higher ASN diversity (5 is usually >> a good threshold), so they can be proactively detected. >> >> (b) Detection for selectively announced destinations >> Especially in targeted operations, miscreants host FQDNs for >> exfiltrating data or malware distributions on ASNs not announced >> globally, but only to the intended victim or it's upstream ISPs. >> >> That way, security researchers located in other parts of the >> internet have no insights into these attacks, hence not being able >> to publish listings or send take down notices for the domains used. >> >> While RPKI made this attack harder, it can still be observed every >> now and then. >> >> This feature also protects against accessing FQDNs resolving to IP >> addresses not being globally routeable, hence providing a trivial >> mitigation for so-called "rebound attacks" - which we cannot filter >> at DNS level currently. >> >> Signed-off-by: Peter M=C3=BCller >> --- >> html/cgi-bin/proxy.cgi | 89 ++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 89 insertions(+) >> >> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi >> index 78ad33ad2..b7227deaf 100644 >> --- a/html/cgi-bin/proxy.cgi >> +++ b/html/cgi-bin/proxy.cgi >> @@ -21,6 +21,7 @@ >> >> use strict; >> use Apache::Htpasswd; >> +use Scalar::Util qw(looks_like_number); >> >> # enable only the following on debugging purpose >> #use warnings; >> @@ -225,6 +226,9 @@ $proxysettings{'THROTTLING_GREEN_TOTAL'} =3D 'unlimite= d'; >> $proxysettings{'THROTTLING_GREEN_HOST'} =3D 'unlimited'; >> $proxysettings{'THROTTLING_BLUE_TOTAL'} =3D 'unlimited'; >> $proxysettings{'THROTTLING_BLUE_HOST'} =3D 'unlimited'; >> +$proxysettings{'ASNBL_FASTFLUX_DETECTION'} =3D 'off'; >> +$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} =3D '5'; >> +$proxysettings{'ASNBL_SELECANN_DETECTION'} =3D 'off'; >> $proxysettings{'ENABLE_MIME_FILTER'} =3D 'off'; >> $proxysettings{'AUTH_METHOD'} =3D 'none'; >> $proxysettings{'AUTH_REALM'} =3D ''; >> @@ -414,6 +418,21 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) |= | ($proxysettings{'ACTION'} >> $errormessage =3D $Lang::tr{'invalid maximum incoming size'}; >> goto ERROR; >> } >> + if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysetti= ngs{'ASNBL_SELECANN_DETECTION'} eq 'on')) >> + { >> + if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) { >> + $errormessage =3D $Lang::tr{'advproxy fastflux no threshold given'}; >> + goto ERROR; >> + } >> + if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) { >> + $errormessage =3D $Lang::tr{'advproxy fastflux threshold invalid'}; >> + goto ERROR; >> + } >> + if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings= {'ASNBL_FASTFLUX_THRESHOLD'} > 10)) { >> + $errormessage =3D $Lang::tr{'advproxy fastflux threshold out of bounds= '}; >> + goto ERROR; >> + } >> + } >> if (!($proxysettings{'AUTH_METHOD'} eq 'none')) >> { >> unless (($proxysettings{'AUTH_METHOD'} eq 'ident') && >> @@ -797,6 +816,14 @@ $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'TH= ROTTLING_GREEN_HOST'}} =3D "s >> $selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}= } =3D "selected=3D'selected'"; >> $selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = =3D "selected=3D'selected'"; >> >> +$checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} =3D ''; >> +$checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} =3D ''; >> +$checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETEC= TION'}} =3D "checked=3D'checked'"; >> + >> +$checked{'ASNBL_SELECANN_DETECTION'}{'off'} =3D ''; >> +$checked{'ASNBL_SELECANN_DETECTION'}{'on'} =3D ''; >> +$checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETEC= TION'}} =3D "checked=3D'checked'"; >> + >> $checked{'ENABLE_MIME_FILTER'}{'off'} =3D ''; >> $checked{'ENABLE_MIME_FILTER'}{'on'} =3D ''; >> $checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} =3D "= checked=3D'checked'"; >> @@ -1627,6 +1654,24 @@ END >> print <> >> >> +
>> + >> + >> + >> + >> + >> + >> + >> + >> + >> + >> + >> + >> + >> + >> + >> +
$Lang::tr{'advproxy asbased anomaly detection'}
$Lang::tr{'advproxy fastflux detection'}:$Lang::tr{'advproxy fastflux detection threshol= d'}:
$Lang::tr{'advproxy selectively announcements d= etection'}:
>> + >>
>> END >> ; >> @@ -3507,6 +3552,50 @@ if (@ssl_ports) { >> print FILE "http_access deny CONNECT !SSL_ports\n"; >> } >> >> + if ((($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') && (!-z $proxy= settings{'ASNBL_FASTFLUX_THRESHOLD'})) || ($proxysettings{'ASNBL_SELECANN_DET= ECTION'} eq 'on')) { >> + print FILE "external_acl_type asnblhelper children-max=3D10 children-st= artup=3D2 ttl=3D86400 %DST /usr/bin/asnbl-helper.py /var/ipfire/proxy/asnbl-h= elper.conf\n"; >> + print FILE "acl asnbl external asnblhelper\n"; >> + print FILE "http_access deny asnbl\n\n"; >> + >> + # Write ASNBL helper configuration file... >> + open(ASNBLFILE, ">${General::swroot}/proxy/asnbl-helper.conf"); >> + flock(ASNBLFILE, 2); >> + >> + print ASNBLFILE<> +# >> +# This file has been automatically generated. Manual changes will be over= written. >> +# >> + >> +[GENERAL] >> +LOGLEVEL =3D INFO >> +ASNDB_PATH =3D /var/lib/location/database.db >> +USE_REPLYMAP =3D no >> +END >> +; >> + >> + print ASNBLFILE "AS_DIVERSITY_THRESHOLD =3D $proxysettings{'ASNBL_FASTF= LUX_THRESHOLD'}\n"; >> + >> + if ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on') { >> + print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS =3D yes\n"; >> + } else { >> + print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS =3D no\n"; >> + } >> + >> + if ($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') { >> + print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS =3D yes\n"; >> + } else { >> + print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS =3D no\n"; >> + } >> + >> + print ASNBLFILE<> +TESTDATA =3D (1.1.1.1, 13335) (8.8.8.8, 15169) (194.95.245.140, 680) (10.= 0.0.1, 0) (127.0.0.1, 0) (2001:638:d:c102::140, 680) (2606:4700:10::6814:d673= , 13335) (fe80::1, 0) >=20 > Why do we want to hard-code this here? Because the ASNBL helper requires some test points to ensure the location dat= abase provided is actually working. It is designed to prefer "fail close" (i. e. stopping operation in c= ase something is rendering its purpose useless) rather than "fail open" (i. e. logging a warning and pro= ceed anyway, even if the location database returns "0" for any given IP address). > Does that not (if anywhere) belong into libloc? I disagree with hard-coding= this, because what happens if Google moves their DNS server? It would break = this feature. Partly. We should have some sanity checks in libloc as well, but they ultimat= ely boil down to the same problem: We need a set of relatively statically propagated IP addresses, which the int= ernet does not have by nature. Do you have a better proposal for testing points? Like the IP address of our = own NTP server, which we hard-coded somewhere else, too? Thanks, and best regards, Peter M=C3=BCller >=20 > -Michael >=20 >> +ACTIVE_ASNBLS =3D=20 >> +END >> +; >> + >> + close ASNBLFILE; >> + } >> + >> if ($proxysettings{'AUTH_METHOD'} eq 'ident') >> { >> print FILE "#Set ident ACLs\n"; >> --=20 >> 2.26.2 >=20 --===============0343454494076666705==--