From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v2 2/3] proxy.cgi: Implement proactive Fast Flux detection and detection for selectively announced destinations Date: Tue, 12 Oct 2021 12:43:00 +0100 Message-ID: In-Reply-To: <4b9c5dc3-2bd7-2616-82da-971465a6aa9d@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3291423711606439806==" List-Id: --===============3291423711606439806== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Looks okay to me now. Thank you for working on this. Reviewed-by: Michael Tremer > On 10 Oct 2021, at 18:43, Peter M=C3=BCller wr= ote: >=20 > This patch adds two new features to IPFire's web proxy: >=20 > (a) Proactive Fast Flux detection > FQDNs are resolved to their IP addresses, which are then resolved to > corresponding Autonomous System Numbers using IPFire's location > database. Most destinations will scatter across a very low number of > ASNs (not to be confused with IP addresses!). FQDNs hosted on Fast > Flux setups have a significantly higher ASN diversity (5 is usually > a good threshold), so they can be proactively detected. >=20 > (b) Detection for selectively announced destinations > Especially in targeted operations, miscreants host FQDNs for > exfiltrating data or malware distributions on ASNs not announced > globally, but only to the intended victim or it's upstream ISPs. >=20 > That way, security researchers located in other parts of the > internet have no insights into these attacks, hence not being able > to publish listings or send take down notices for the domains used. >=20 > While RPKI made this attack harder, it can still be observed every > now and then. >=20 > This feature also protects against accessing FQDNs resolving to IP > addresses not being globally routeable, hence providing a trivial > mitigation for so-called "rebound attacks" - which we cannot filter > at DNS level currently. >=20 > The second version of this patch consumes the user-defined whitelist for > the URL filter (if present and populated) for the ASNBL helper as well, > to make exceptions for funny destinations such as fedoraproject.org > possible. In addition, the ASNBL helper's sanity tests no longer include > publicly routable IP addresses, so failures on location01 cannot brick > IPFire installations in the field. >=20 > Thanks to Michael Tremer and Adolf Belka for these suggestions. >=20 > Signed-off-by: Peter M=C3=BCller > --- > html/cgi-bin/proxy.cgi | 98 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 98 insertions(+) >=20 > diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi > index 966593e4d..202a8f3bc 100644 > --- a/html/cgi-bin/proxy.cgi > +++ b/html/cgi-bin/proxy.cgi > @@ -21,6 +21,7 @@ >=20 > use strict; > use Apache::Htpasswd; > +use Scalar::Util qw(looks_like_number); >=20 > # enable only the following on debugging purpose > #use warnings; > @@ -229,6 +230,9 @@ $proxysettings{'THROTTLING_GREEN_TOTAL'} =3D 'unlimited= '; > $proxysettings{'THROTTLING_GREEN_HOST'} =3D 'unlimited'; > $proxysettings{'THROTTLING_BLUE_TOTAL'} =3D 'unlimited'; > $proxysettings{'THROTTLING_BLUE_HOST'} =3D 'unlimited'; > +$proxysettings{'ASNBL_FASTFLUX_DETECTION'} =3D 'off'; > +$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} =3D '5'; > +$proxysettings{'ASNBL_SELECANN_DETECTION'} =3D 'off'; > $proxysettings{'ENABLE_MIME_FILTER'} =3D 'off'; > $proxysettings{'AUTH_METHOD'} =3D 'none'; > $proxysettings{'AUTH_REALM'} =3D ''; > @@ -418,6 +422,21 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) ||= ($proxysettings{'ACTION'} > $errormessage =3D $Lang::tr{'invalid maximum incoming size'}; > goto ERROR; > } > + if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysettin= gs{'ASNBL_SELECANN_DETECTION'} eq 'on')) > + { > + if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) { > + $errormessage =3D $Lang::tr{'advproxy fastflux no threshold given'}; > + goto ERROR; > + } > + if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) { > + $errormessage =3D $Lang::tr{'advproxy fastflux threshold invalid'}; > + goto ERROR; > + } > + if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings{= 'ASNBL_FASTFLUX_THRESHOLD'} > 10)) { > + $errormessage =3D $Lang::tr{'advproxy fastflux threshold out of bounds'= }; > + goto ERROR; > + } > + } > if (!($proxysettings{'AUTH_METHOD'} eq 'none')) > { > unless (($proxysettings{'AUTH_METHOD'} eq 'ident') && > @@ -801,6 +820,14 @@ $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'THR= OTTLING_GREEN_HOST'}} =3D "s > $selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}}= =3D "selected=3D'selected'"; > $selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = =3D "selected=3D'selected'"; >=20 > +$checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} =3D ''; > +$checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} =3D ''; > +$checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETECT= ION'}} =3D "checked=3D'checked'"; > + > +$checked{'ASNBL_SELECANN_DETECTION'}{'off'} =3D ''; > +$checked{'ASNBL_SELECANN_DETECTION'}{'on'} =3D ''; > +$checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETECT= ION'}} =3D "checked=3D'checked'"; > + > $checked{'ENABLE_MIME_FILTER'}{'off'} =3D ''; > $checked{'ENABLE_MIME_FILTER'}{'on'} =3D ''; > $checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} =3D "c= hecked=3D'checked'"; > @@ -1633,6 +1660,24 @@ END > print < >=20 > +
> + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > +
$Lang::tr{'advproxy asbased anomaly detection'}
$Lang::tr{'advproxy fastflux detection'}:$Lang::tr{'advproxy fastflux detection threshold= '}:
$Lang::tr{'advproxy selectively announcements de= tection'}:
> + >
> END > ; > @@ -3525,6 +3570,59 @@ if (@ssl_ports) { > print FILE "http_access deny CONNECT !SSL_ports\n"; > } >=20 > + if ((($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') && (!-z $proxys= ettings{'ASNBL_FASTFLUX_THRESHOLD'})) || ($proxysettings{'ASNBL_SELECANN_DETE= CTION'} eq 'on')) { > + print FILE "external_acl_type asnblhelper children-max=3D10 children-sta= rtup=3D2 ttl=3D86400 %DST /usr/bin/asnbl-helper.py ${General::swroot}/proxy/a= snbl-helper.conf\n"; > + print FILE "acl asnbl external asnblhelper\n"; > + > + # Use the user-defined URL filter whitelist (if present and populated) f= or the ASNBL helper as well > + # Necessary for destinations such as fedoraproject.org, but we do not wa= nt to maintain a dedicated > + # or hardcoded list for such FQDNs. > + if ((-e "${General::swroot}/urlfilter/blacklists/custom/allowed/domains"= ) && (!-z "${General::swroot}/urlfilter/blacklists/custom/allowed/domains")) { > + print FILE "acl asnbl_whitelisted_destinations dstdomain \"${General::s= wroot}/urlfilter/blacklists/custom/allowed/domains\"\n"; > + print FILE "http_access deny asnbl !asnbl_whitelisted_destinations\n\n"; > + } else { > + print FILE "http_access deny asnbl\n\n"; > + } > + > + # Write ASNBL helper configuration file... > + open(ASNBLFILE, ">${General::swroot}/proxy/asnbl-helper.conf"); > + flock(ASNBLFILE, 2); > + > + print ASNBLFILE< +# > +# This file has been automatically generated. Manual changes will be overw= ritten. > +# > + > +[GENERAL] > +LOGLEVEL =3D INFO > +ASNDB_PATH =3D /var/lib/location/database.db > +USE_REPLYMAP =3D no > +END > +; > + > + print ASNBLFILE "AS_DIVERSITY_THRESHOLD =3D $proxysettings{'ASNBL_FASTFL= UX_THRESHOLD'}\n"; > + > + if ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on') { > + print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS =3D yes\n"; > + } else { > + print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS =3D no\n"; > + } > + > + if ($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') { > + print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS =3D yes\n"; > + } else { > + print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS =3D no\n"; > + } > + > + print ASNBLFILE< +TESTDATA =3D (10.0.0.1, 0) (127.0.0.1, 0) (fe80::1, 0) > +ACTIVE_ASNBLS =3D=20 > +END > +; > + > + close ASNBLFILE; > + } > + > if ($proxysettings{'AUTH_METHOD'} eq 'ident') > { > print FILE "#Set ident ACLs\n"; > --=20 > 2.26.2 --===============3291423711606439806==--