Re: [PATCH 0/3] Add ASN-based anomaly detections to IPFire's web proxy: Proactive Fast Flux detection and detection for selectively announced networks

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2288 bytes --]

Hello Peter,

I love this feature. I think it is a one-of-a-kind thing and hopefully many more people will think the same.

However, it will need a lot of documentation and explaining.

I have a couple of high-level questions:

* Does it make sense to give the user the choice for the threshold?

It seems to be a difficult question because it requires exact knowledge what this feature actually does. My fears are that people just set this to something like “9” and the feature would become ineffective. What use-case is there to change this?

* Selective announcements: Should this necessarily live in the proxy? Why do we not generate a filter for the firewall?

-Michael

> On 18 Jun 2021, at 18:24, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> This patchset adds two new features to IPFire's web proxy, taking advantage
> of the Autonomous System information we have at hand by using libloc.
> 
> The proactive Fast Flux detection is especially worth noticing, as even most
> expensive (= advanced?) security suites do not provide similar protection,
> especially not in a proactive manner.
> 
> By simply enumerating the distinct amount of Autonomous System Numbers a FQDN
> ultimately resolves to, we are able to deny access to malware distribution
> sites, phishing sites, C&C servers, and other cybercrime stuff hosted on Fast
> Flux setups abusing cracked machines around the world - even before the FQDN
> or any IP address involved is flagged as malicious by any security vendor.
> 
> Peter Müller (3):
>  squid-asnbl: New package
>  proxy.cgi: Implement proactive Fast Flux detection and detection for
>    selectively announced destinations
>  langs: Add English and German translations for newly added web proxy
>    features
> 
> config/rootfiles/common/squid-asnbl |  1 +
> html/cgi-bin/proxy.cgi              | 89 +++++++++++++++++++++++++++++
> langs/de/cgi-bin/de.pl              |  7 +++
> langs/en/cgi-bin/en.pl              |  7 +++
> lfs/squid-asnbl                     | 83 +++++++++++++++++++++++++++
> make.sh                             |  1 +
> 6 files changed, 188 insertions(+)
> create mode 100644 config/rootfiles/common/squid-asnbl
> create mode 100644 lfs/squid-asnbl
> 
> -- 
> 2.26.2