From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 0/3] Add ASN-based anomaly detections to IPFire's web proxy: Proactive Fast Flux detection and detection for selectively announced networks Date: Mon, 05 Jul 2021 17:57:21 +0100 Message-ID: In-Reply-To: <243ade9e-d013-089b-7189-d4752689af72@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1452192230569281863==" List-Id: --===============1452192230569281863== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Peter, I love this feature. I think it is a one-of-a-kind thing and hopefully many m= ore people will think the same. However, it will need a lot of documentation and explaining. I have a couple of high-level questions: * Does it make sense to give the user the choice for the threshold? It seems to be a difficult question because it requires exact knowledge what = this feature actually does. My fears are that people just set this to somethi= ng like =E2=80=9C9=E2=80=9D and the feature would become ineffective. What us= e-case is there to change this? * Selective announcements: Should this necessarily live in the proxy? Why do = we not generate a filter for the firewall? -Michael > On 18 Jun 2021, at 18:24, Peter M=C3=BCller wr= ote: >=20 > This patchset adds two new features to IPFire's web proxy, taking advantage > of the Autonomous System information we have at hand by using libloc. >=20 > The proactive Fast Flux detection is especially worth noticing, as even most > expensive (=3D advanced?) security suites do not provide similar protection, > especially not in a proactive manner. >=20 > By simply enumerating the distinct amount of Autonomous System Numbers a FQ= DN > ultimately resolves to, we are able to deny access to malware distribution > sites, phishing sites, C&C servers, and other cybercrime stuff hosted on Fa= st > Flux setups abusing cracked machines around the world - even before the FQDN > or any IP address involved is flagged as malicious by any security vendor. >=20 > Peter M=C3=BCller (3): > squid-asnbl: New package > proxy.cgi: Implement proactive Fast Flux detection and detection for > selectively announced destinations > langs: Add English and German translations for newly added web proxy > features >=20 > config/rootfiles/common/squid-asnbl | 1 + > html/cgi-bin/proxy.cgi | 89 +++++++++++++++++++++++++++++ > langs/de/cgi-bin/de.pl | 7 +++ > langs/en/cgi-bin/en.pl | 7 +++ > lfs/squid-asnbl | 83 +++++++++++++++++++++++++++ > make.sh | 1 + > 6 files changed, 188 insertions(+) > create mode 100644 config/rootfiles/common/squid-asnbl > create mode 100644 lfs/squid-asnbl >=20 > --=20 > 2.26.2 --===============1452192230569281863==--