Etherarp
Etherarp

Networking, Security, Linux

Share


Reactive malware blocking with ipset

This tutorial will demonstrate how to create reactive firewall rules. If a device attempts to communicate with known malware command-and-control servers, the potentially compromised device will be added to a blacklist, and its internet access will be immediately disabled.

Rohan MolloyRohan Molloy

Create the ipsets

sudo ipset create cybercrime hash:ip
sudo ipset create infected hash:mac

Populate the cybercrime list

sudo xargs -n1 ipset add cybercrime \
< <(curl -fSsL https://iplists.firehol.org/files/cybercrime.ipset | grep -v "^#")

Create the iptables rules

sudo iptables -I FORWARD -m set --match-set infected src \
-j DROP
sudo iptables -I FORWARD -m set --match-set cybercrime dst \
-j SET --add-set infected src

Trying it out

[rohan@desktop ~]$ docker run -it --rm alpine sh
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=122 time=42.093 ms

/ # ping -c2 39.105.4.44
PING 39.105.4.44 (39.105.4.44): 56 data bytes
^C
--- 39.105.4.44 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

/ # ping -c2 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
/ # exit

[rohan@desktop ~]$ sudo ipset list infected
Name: infected
Type: hash:mac
Revision: 0
Header: hashsize 1024 maxelem 65536
Size in memory: 152
References: 3
Number of entries: 1
Members:
02:42:C0:A8:08:02

The first ping to 8.8.8.8 verifies internet connectivity, then I attempt to ping an address in the cybercrime set. As expected, the ping is unsuccessful, and a subsequent ping to 8.8.8.8 also fails.

Caveats

In the above example using Docker, I found that after I deleted the container, the next container I created used the previously blocked MAC address. This can be solved by using a manually specified MAC address.

Author

Rohan Molloy

View Comments