Blocking by hostname

threatstop · August 21, 2007, 5:03pm

I am seeing if the Comodo Firewall can work with the ThreatSTOP (http://www.threatstop.com) service. What we do is propagate lists of IP addresses that are known to attack other servers/users using DNS, like the DShield Top 10 (http://www.dshield.org) list.

I can configure a rule with a hostname that returns 20 distinct IP addresses, and it looks like it gets all the IP addresses correctly. When I look at the details of the rule, the hostname in the rule shows “NAME: [basic.threatstop.local] - 59.52.113.236 - 222.15.69.197 …” With this enabled, all traffic between those 2 addresses is blocked.

Is it supposed to work like this? We don’t want to block that full range, but the individual IP addresses.

Thank You

David Daugherty
ThreatSTOP

Little_Mac · August 21, 2007, 6:37pm

Welcome to the House of Comodo Forums, David (:WAV)

If that Hostname is associated with the full range of IP addresses, then yes, that is how it works.

For example, if I create a Network rule regarding Hostname: forums.comodo.com, this automatically invokes the entire range registered to that host, of 85.91.228.128 - 85.91.228.191; it will be either blocked or allowed depending on my rule structure. It does not, nor cannot, select individual ranges from within that Host’s IP range.

In order to do that, I would need to create Single IP rules, or Range rules, rather than for the entire Host.

As I understand it from your website, you are attempting to integrate a “badlist” into the firewall for IP blocking, correct? Can you explain a little more about how it works on your end; how the file is generated, downloaded, etc? Maybe there’s a way we can work around…

LM

gordon · August 21, 2007, 7:01pm

Do I understand this correctly ?
By entering a host-name in a block-host rule I can block ALL IP-ranges assigned to that host-name ?
If I was to make a block-rule for, as an example, “DoD Network Information Center”
(or rather a site with a host-name and within their assigned ranges since there is no 'www.DoDnetworkinformationcenter.mil" site )
would that block ALL IP-ranges assigned to them ? ( and that’s A LOT )?

Little_Mac · August 21, 2007, 9:38pm

Correct. For instance, if you didn’t want the evil Google Empire to spy on you (assuming they do, of course, just to use a real-world example ) you build a Network Monitor rule to Block IP In/Out, Source Hostname google.com, Destination Hostname google.com, IP Details Any. Probably want it at the top of NetMon (Rule ID 0) so that your browser wouldn’t be allowed to make an outbound connection to their sites. This would block 64.233.160.0 - 64.233.191.255.

LM

threatstop · August 22, 2007, 2:48am

LM, yes, basically we are supplying a list of IP addresses through DNS that the user can use to block with their firewall, or allow if they want. What they do with the list is up to them. A rather unusual way to use DNS, but it works pretty good in most cases. Most of our lists are pretty big and have to be split up due to BIND limitations and TCP packet size limits.

Basically what we do is grab a source block list, http://www.dshield.org/ipsascii.html?limit=10 is what we use to get the DShield Top 10 list. We take that file, extract the IP addresses and add them to a file for our DNS server to load into a zone. A DNS query to one of our lists would return a list of IP addresses. Right now we are only using DNS to supply the list, other options may be used in the future.

C:>nslookup basic.threatstop.local
Server: dns-server
Address: xxx.xxx.xxx.5

Name: basic.threatstop.local
Addresses: 222.15.69.197, 59.33.242.22, 59.191.61.100, 61.129.33.118
61.163.6.124, 71.239.217.117, 80.144.87.169, 83.3.29.98, 88.235.66.185
89.86.131.147, 123.50.208.131, 125.152.17.236, 133.11.220.26, 195.254.134.18
202.113.96.15, 206.162.143.95, 211.99.150.188, 217.43.122.174, 219.132.73.68
221.2.231.10

A rule for iptables would look something like this:
iptables -A threatstop -s basic.threatstop.local -j DROP

This would actually create a separate rule for each IP address in the hostname. Some firewalls would actually work directly off the hostname, Netscreens for example, and keep the DNS query in it’s local cache until it expires. Other firewalls have to use a script to configure it, like iptables and PF since they create rules for each address and don’t know or care about the TTL for the hostname. We have to flush the chain and reload it every couple hours. Some firewalls will not work, like the one that comes with WinXP since you can only build rules using IP addresses.

Thanks
David

panic · August 22, 2007, 6:16am

Clever! Great lateral use of DNS!

Little_Mac · August 22, 2007, 2:09pm

Okay, so in this situation the hostname is defined by a group of IP addresses; that would seem to perhaps give us something to work with.

I am presently using CFP v3 Beta, so I tested with that. Placed this rule at the top of the Network Monitor:
Action: Block
Protocol: IP
Direction: Out
Source IP: Any
Destination IP: Hostname: basic.threatstop.local
IP Details: Any

I selected several IP’s from your post, and loaded them into the browser for outbound connection. No connection was able to complete on any of them.

My thought was that if the hostname was made up of a group of IP addresses, then the DNS lookup should be able to sort that out the same way it would with any hostname - IP address relationship.

LM