From patchwork Fri Jun 18 17:24:13 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 1
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4G65Pw2Xrwz3x6s
	for <patchwork@web04.haj.ipfire.org>; Fri, 18 Jun 2021 17:24:20 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4G65Pt1LGlz1fH;
	Fri, 18 Jun 2021 17:24:18 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4G65Ps4kflz2xd1;
	Fri, 18 Jun 2021 17:24:17 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4G65Pr3wQ2z2xLW
 for <development@lists.ipfire.org>; Fri, 18 Jun 2021 17:24:16 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4G65Pq235nz16S
 for <development@lists.ipfire.org>; Fri, 18 Jun 2021 17:24:15 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1624037055;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=vG/BstM2Mbaewh9+oSjtuiihg//SknrkkkuZaJH1rmk=;
 b=jspJ+urD1xI8RBB58ckzzlICR/7sCCjmewUiQlL1aGfzPTyAw9omDiV+vnmdISUW7z19Wn
 mAij+OOOC11Z4gCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1624037055;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=vG/BstM2Mbaewh9+oSjtuiihg//SknrkkkuZaJH1rmk=;
 b=BlpDfDjhGQHPwiS/hOkYoBAbaFeBiX6FJQOotMiXuVbMZSBC78Rqw5BhWMobcxPHC6NWWx
 ZXsjVeBLd/49c+n4nL9jziulXnL7ARdjJ+p95+WE038cmAC0t9LectD0+CZsJbKkzOmxjw
 /6601yCpd2mer1wA1/FttU7SPx+170Pga0CX/uyKbn4GjzrybKY3jw0Vks/Dett/LJhxj5
 4AG9vxK4usFdwiUEGlDhs15vdYvaGJxe3xih9PknXqocVyVJ+N7dO6UC1wWro1bKR/hoM2
 t5krAPcDuapzx3ltOFWtcnBW657OezH7SSKqWIkV1BLIZkWcLPJkm4IL6Hxa6A==
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH 0/3] Add ASN-based anomaly detections to IPFire's web proxy:
 Proactive Fast Flux detection and detection for selectively announced
 networks
Message-ID: <243ade9e-d013-089b-7189-d4752689af72@ipfire.org>
Date: Fri, 18 Jun 2021 19:24:13 +0200
MIME-Version: 1.0
Content-Language: en-US
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This patchset adds two new features to IPFire's web proxy, taking advantage
of the Autonomous System information we have at hand by using libloc.

The proactive Fast Flux detection is especially worth noticing, as even most
expensive (= advanced?) security suites do not provide similar protection,
especially not in a proactive manner.

By simply enumerating the distinct amount of Autonomous System Numbers a FQDN
ultimately resolves to, we are able to deny access to malware distribution
sites, phishing sites, C&C servers, and other cybercrime stuff hosted on Fast
Flux setups abusing cracked machines around the world - even before the FQDN
or any IP address involved is flagged as malicious by any security vendor.

Peter Müller (3):
  squid-asnbl: New package
  proxy.cgi: Implement proactive Fast Flux detection and detection for
    selectively announced destinations
  langs: Add English and German translations for newly added web proxy
    features

 config/rootfiles/common/squid-asnbl |  1 +
 html/cgi-bin/proxy.cgi              | 89 +++++++++++++++++++++++++++++
 langs/de/cgi-bin/de.pl              |  7 +++
 langs/en/cgi-bin/en.pl              |  7 +++
 lfs/squid-asnbl                     | 83 +++++++++++++++++++++++++++
 make.sh                             |  1 +
 6 files changed, 188 insertions(+)
 create mode 100644 config/rootfiles/common/squid-asnbl
 create mode 100644 lfs/squid-asnbl