Monday, April 20, 2009

DNS Super Black Hole

Understanding DNS Black Hole In Home Defense


DNS Black Hole technology has been used in various settings for some years. "The first DNSBL was the Real-time Blackhole List (RBL), created in 1997 by Paul Vixie as part of his Mail Abuse Prevention System (MAPS)" (note: http://en.wikipedia.org/wiki/DNSBL).

Some years later, David Glosser's open source security project at EmergingThreats.net formalized the use of the technique as a means of blocking malware (note http://www.malwaredomains.com/bhdns.html). His site includes a nice hyperlink list of the various hosts blocking web sites at http://www.malwaredomains.com/bhdns.html#Resources.

Over the past two years, having faced an onslaught of hundreds of new malware domains per week created by the RBN and their affiliates, those of us engaged in mitigation and recovery operations began creating Super Black Holes in Linux DNS servers as a matter of necessity. Initially, there was some skepticism as to whether the concept was practicable, but it has proven sound when used with internal DNS servers.

The great advantage for home users is that a DNS Super Black Hole provides the opportunity to effectively block a *very* large number of malicious web sites with minimum resources. For example, to filter by IP address the 247,268 evil sites (provided in the DNS Super Black Hole files that I am posting) requires 6 GB of RAM deployed across two inline firewall servers. Such hardware is unavailable to most home users. In contrast, using one older PC bearing only 512 MB of RAM, the home user can block the same 247,268 bad actor web sites using a DNS Super Black Hole (deployed on a free, open source software platform such as Smoothwall). Windows users can edit the files by using free, open source software such as Notepad++ (http://sourceforge.net/projects/notepad-plus/) and WinSCP (http://sourceforge.net/projects/winscp/). This provides parents with a means to filter racist, criminal and pornographic web sites.

In the struggle against cyber criminals, I have often observed instances where viruses are used to drive up the traffic statistics of a web site owned by the criminal. This enables cyber criminals to auction the domain at a greater price. In order to discourage this practice, my DNS Super Black Hole files include many of these domains.

Few individuals visit malicious web sites on purpose. In most cases, the user visits a legitimate site which has been hacked or which includes a malicious banner ad (a fairly common occurence at Yahoo and Google). The end result is that a hidden window or I-Frame is invoked by JavaScript which installs malware on the PC. DNS Super Black Hole prevents this by diverting the DNS (domain name server) query to the Black Hole. The files include Internet bad actors as well as, most of the known malware domains as of May 27, 2009.

Smoothwall is a stable platform which provides excellent installation instructions and documentation (http://www.smoothwall.org/) and user community support (http://community.smoothwall.org/forum/). As such, it is ideal for home users.

You can download the DNS Super Black Hole files for Smoothwall at Emerging Threats from: http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples):

* config-hosts (http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts): 247,268 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Update 5-27-2009: 3,526 cybercrime and malware domains discovered since May 3rd.

* hosts (http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts): Protect your home from 247,268 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback. Updated 5-27-2009.

Many of the web sites listed in these files are extraordinarily dangerous, so do not visit them!