Detect/block proxyware?

Security
1

Hello,

is there any easy way to detect and block “proxyware” clients with IPfire? Clients like HoneyGain, clients those use free internet bandwidth and sell it for few cents, these clients could be embedded in any application, just to earn authors of software some money, in similar way like advertisement are added to software and those could be blocked with some adblock plugin.

Good explanation what is proxyware and deep report on HoneyGain abuse.

2

If the crapware you are describing uses a specific port, you can block all the outbound traffic harboring that port.

3

@pslpsl
Thanks for highlight this matter and for links.

At now I see just the way, blocking known domains, ex. URLs by URL Filter, domains and subdomains by DNS, known IPs by iptables.
Similar to Tor …

Someone will find a way to block such communication by IDS filter rule etc. as Talos rules.

BR
Trash

1 Like
4

just a quick thought, although unsourced free internet sounds brilliant. Well update drivers, check if realteks and broadcoms are using latest software available with security paches. (bgn) don’t alow switches in options if available and then the steps described above ofcourse also if using embded hardware might be old or even if sold in 2nd hand might be compromised.
G70P

5

This issue has nothing to do with NIC drivers or old embedded hardware. I assume there is a trojan “proxyware” on my network, I assume it is part of some “free” software or is “embedded” on some cheap hardware from China, like media box with Android. The challenge is how to detect it or even block it. I think that IPfire doesn’t help with this task, it doesn’t have tools to detect attacks from internal networks.

  • I use IPfire as DNS server/forwarder for local network but I cannot see what DNS requests it serves; such feature can help with design of blocking rules.I cannot monitor DNS traffic.
  • active connections - I cannot filter by host/device
  • active connections - only IP addresses, no easy way to see FQDN (I have to manually check each IP address)

I assume I have to install tcpdump to IPfire, capture a lot of packets and then try to find the attacker with Wireshark… tcpdump can filter packets by IP address, so I can check traffic device by device.

1 Like
6

I suppose wireshark and add-ons provided are a plus for the router console provided.by Ipfire. Alternatives (free) are openWRT and pfSense software but I think they doesn’t neither. , but I’m not into that. I meant Virtual lans inside NICS (the thing has got to get out of the hardware someway) :see_no_evil: to find an intruder you’ll need specific tools indeed.
Regards

7

:thinking: Are you sure about this?

obraz
obraz966×387 12.5 KB

edit

https://blog.talosintelligence.com/proxyware-abuse/

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.The following SIDs have been released to detect this threat: 45549, 46237 and 58030 - 58033.

obraz
obraz767×241 14.2 KB

obraz
obraz718×202 12.4 KB

obraz
obraz718×179 15.9 KB

obraz
obraz718×184 15.5 KB

obraz
obraz718×633 89.3 KB

In the ruleset above, these rules are enabled by default.

BR

6 Likes
8

I like the solution with rules for snort. Unfortunately, those rules are not free. And it blocks known attack but doesn’t detect “new” attack…

I was searching for a way to monitor DNS traffic at IPfire. I found this:

  • tcpdump: command tcpdump -s0 -i ppp0 port 53 running at IPfire gateway shows DNS traffic. I am not sure if this is perfect command, maybe it can be improved.

  • dnstop: dnstop is utility that shows DNS traffic in similar way like top shows running processes. dnstop add-on is not available for IPfire :frowning: dnstop can be installed on pfSense

  • unbound: unbound can log DNS queries to log file and it is “easy”. Option log-queries: yes has to be added to /etc/unbound/unbound.conf article. It will be nice to have checkbox for this option in dns.cgi WUI. OPNsense has such option

unbound.conf modified (followed by unboundctrl reload):

[root@ipfire unbound]# diff -u /etc/unbound/unbound.conf0 /etc/unbound/unbound.conf
--- /etc/unbound/unbound.conf0	2023-06-23 17:18:10.366893951 +0200
+++ /etc/unbound/unbound.conf	2023-06-23 17:19:08.740057299 +0200
@@ -18,6 +18,7 @@
 	# Logging Options
 	use-syslog: yes
 	log-time-ascii: yes
+	log-queries: yes
 
 	# Unbound Statistics
 	statistics-interval: 86400

Example of log file, just several random lines from /var/log/messages:

Jun 23 17:10:14 ipfire unbound: [29418:0] info: 127.0.0.1 cpitrust.net. A IN
Jun 23 17:10:24 ipfire unbound: [29418:0] info: 192.168.222.232 pingmybee.net. A IN
Jun 23 17:10:25 ipfire unbound: [29418:0] info: 192.168.222.116 vivo.home. A IN
Jun 23 17:10:25 ipfire unbound: [29418:0] info: 192.168.222.116 vivo.home. AAAA IN
Jun 23 17:11:08 ipfire unbound: [29418:0] info: 192.168.222.119 cbnode.ddns.net. A IN
Jun 23 17:11:08 ipfire unbound: [29418:0] info: 192.168.222.119 cbnode.ddns.net. AAAA IN
Jun 23 17:11:12 ipfire unbound: [29418:0] info: 192.168.222.96 abbye994khsg.eu.api.amazonvideo.com. A IN
Jun 23 17:11:13 ipfire unbound: [29418:0] info: 192.168.222.96 msh.amazon.co.uk. A IN
Jun 23 17:15:05 ipfire unbound: [29418:0] info: 127.0.0.1 firetvcaptiveportal.com. A IN
1 Like
9

https://www.snort.org/faq

Registered vs. Subscriber

Official Documentation

Author: Joel Esler

There are two sets of rules distributed on the Snort.org web site.
The “Community Ruleset” is freely available to all users, and is licensed under the GPLv2.

The “Snort Subscriber Rule Set” will be made available to users in the following ways:
Subscribers will receive rulesets in real-time as they are released to Cisco customers - 30 days ahead of registered users
Registered users will receive rulesets 30 days after Subscribers.
Unregistered users will receive access to the community ruleset.

Do I have to subscribe to receive the Snort Subscriber Rule Set?

No, Subscribers receive Snort Subscriber Rule Set updates immediately as they are shipped. Registered users receive the same exact ruleset, however, no new content will be included that was produced during the 30 day window. Updated content outside of the 30 day window will be included.

What are the differences in the rule sets?

Community

Community Ruleset program

The Community Ruleset is a GPLv2 Talos certified ruleset that is distributed free of charge without any Snort Subscriber Rule Set License restrictions. If you are a Snort Subscriber Rule Set Subscriber, the community ruleset is already built into your download. If you are a registered user (under the 30-day delay) you may also include this ruleset in your Snort installation to stay current. The authors of the rules in the community ruleset are listed in the AUTHORS file inside the tarball. This ruleset is updated daily and is a subset of the subscriber ruleset.

Registered

This ruleset is also free for use for individuals and businesses (however, Integrators may not use this ruleset). This ruleset is 30 days behind the Snort Subscriber Rule Set and does not contains zero-day threats under the “limited” provision of the Snort Subscriber Rule Set License. This ruleset does contain the Community ruleset. It is recommended that you use both the Registered Ruleset and the community ruleset, if you are not going to become a subscriber. This ruleset is generally updated on Tuesdays and Thursdays.

Subscriber

This is the full Snort Subscriber Ruleset, without delay. For more information on the Snort Subscriber Rule Set, please read our FAQ. This ruleset is also referred to as the “VRT Ruleset” or the “Talos Ruleset” This ruleset is generally updated on Tuesday and Thursdays, but may be updated at any time to stay current with emerging threats.

edit

obraz
obraz316×496 16 KB

obraz
obraz923×117 2.53 KB

obraz
obraz508×469 16.1 KB

BR

2 Likes