proxy.cgi: Implement proactive Fast Flux detection and detection for selectively announced destinations
This patch adds two new features to IPFire's web proxy:
(a) Proactive Fast Flux detection
FQDNs are resolved to their IP addresses, which are then resolved to
corresponding Autonomous System Numbers using IPFire's location
database. Most destinations will scatter across a very low number of
ASNs (not to be confused with IP addresses!). FQDNs hosted on Fast
Flux setups have a significantly higher ASN diversity (5 is usually
a good threshold), so they can be proactively detected.
(b) Detection for selectively announced destinations
Especially in targeted operations, miscreants host FQDNs for
exfiltrating data or malware distributions on ASNs not announced
globally, but only to the intended victim or it's upstream ISPs.
That way, security researchers located in other parts of the
internet have no insights into these attacks, hence not being able
to publish listings or send take down notices for the domains used.
While RPKI made this attack harder, it can still be observed every
now and then.
This feature also protects against accessing FQDNs resolving to IP
addresses not being globally routeable, hence providing a trivial
mitigation for so-called "rebound attacks" - which we cannot filter
at DNS level currently.
The second version of this patch consumes the user-defined whitelist for
the URL filter (if present and populated) for the ASNBL helper as well,
to make exceptions for funny destinations such as fedoraproject.org
possible. In addition, the ASNBL helper's sanity tests no longer include
publicly routable IP addresses, so failures on location01 cannot brick
IPFire installations in the field.
Thanks to Michael Tremer and Adolf Belka for these suggestions.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / people / pmueller / ipfire-2.x.git / commit
