Anomaly detections

Work in progress....

Fast Flux Detection was added in IPFire 2.27 - Core Update 161.

Thanks to libloc, the free & open source location database, IPFire comes with an accurate, trustworthy database for mapping IP addresses to countries and Autonomous Systems, and vice versa. This allows us to introduce a new feature: Proactive detection of Fast Flux setups, which are commonly used by ne'er-do-wells for hosting questionable and malicious content on compromised machines around the world, switching from one infected PC, IoT device, or router to another within minutes.

To the best of our knowledge, this is a unique feature. Contrary to other security mechanisms such as AV scanners, which are often lagging behind, it detects malware, phishing, C&C servers and other nefarious things proactively - before any threat intelligence source in the world even knows about them. Even better, measurements done so far indicate it comes with a near-zero false positive rate in productive environments.

If you are using IPFire's built-in web proxy, all you need to do is to tick a checkbox, hit the "save and reload" button at the end of that page, and you're done.

None

To compensate the rather simple looking screenshot, this blog post explains what Fast Flux hosting looks like, how it is used by cyber criminals, and how IPFire detects it. If you are in need of some tea or coffee, it is now time to make it. Ready? Here we go...

View Log

A detection of selectively announced network will cause this message to appear in the /var/log/squid/cache.log file:

[root@ipfire ~] # grep squid-asnbl-helper /var/log/squid/cache.log

Dec 16 14:19:00 squid-asnbl-helper[26233] WARN: Destination 'www.foke.es' resolves to IP addresses 'fe80::ccde:4cff:fea2:57ae' without corresponding ASN, probably selectively announced
Dec 16 14:19:00 squid-asnbl-helper[26233] INFO: Denying access to destination 'www.foke.es' due to suspected selective announcements

For some reason, the folks at www.foke.es decided to put an IPv6 address into the DNS pointing to a non-routable IPv6 range - similar to 127.0.0.0/8 for IPv4. This triggers the anomaly detection.

Edit Page ‐ Yes, you can edit!

Older Revisions • December 16 at 8:51 pm • Jon