Short blog post documenting steps to quickly block IP addresses for cybersecurity SaaS solutions which perform scanning and sandboxing analysis using CloudFlare's features.
Introduction, Background, or Why?
During Adversary Simulation projects, or even just Red Team Operations, we are often tasked try our best to 'penetrate' a target organization. The process of the 'penetration' provides the target organization with the benefit of being able to test their implemented cybersecurity controls and investments to see how well their People, Processes, and Technology can fend off an attack. To be able to perform such simulations, we need 'attack infrastructure'.
Different operators have their own way of deploying infrastructure. There are various sources documenting how to set up Attack Infrastructure. Jeff Dimmock has a documented Red Team Infrastructure Wiki over on GitHub[2]. Depending on how Attack Infrastructure is deployed, it can greatly aid or even harm an operation.
Security solutions have been getting better and a lot of innovation has been taking place in the space for cybersecurity products. During Red Team Operations we often see solutions such as E-mail Content Scanning, Link Scanning, Attachment Scanning, and various other types of automated analysis or sandboxing technology. To combat and prevent cybersecurity solutions which use a SaaS delivery model from being able to analyse our implants and phishing websites, Jason Lang (@curi0usjack) released a list of Bad IP addresses[1]. The community has also been contributing and adding more known Bad IP addresses for security vendors. This list has been referred to by many Red Teamers and is still effective and in use today.
The Bad IP Addresses list was previously deployed using .htaccess or iptables rules. However, there's been a common theme where a lot of Red Teams use LetsEncrypt - because it's free. Instead, CloudFlare offers free SSL certificates on front of your domains if you use their services. Not only does it provide accelerated content delivery due to their CDN, it can help you automate the SSL deployment process, and also provides a plethora of extended features. These features include Firewall Rules to restrict access to your origin servers.
Using CloudFlare Firewall Rules for IP Filtering
Steps to add Firewall Rules
TLDR: Create two firewall rules under CloudFlare to block a set of Bad IP addressess known for cybersecurity solutions.
1) Go to Firewall > Firewall Rules > Create a Firewall Rule
2) Put in a rule name for (1), then select 'IP Source Address' for (2), then change Operator to 'is in' for (3). Check that the Expression Preview (4) is as shown, then for the final action put 'Block' (5). Finally, click on 'edit expression' (6).
3) You will now have a blank expression to start inserting IP addresses as shown below:
From here, we can utilize the previously shared Bad IP list by Jason Lang, and stick it all in. I've formatted it into two separate expressions due to the size limitations of each expression.
4) After inserting the rule in respectively, you should get the following change in the UI by clicking 'use expression builder':
5) Now just scroll down to the bottom and click 'deploy':
6) Once the deployment is working, it will show up on the UI as shown below:
What it looks like when you're blocked
Using CloudFlare Firewall Rules to Block Bots
Steps to Enable 'Bot Fight' Mode
Navigate to Firewall > Bots, then enable it.
Currently have no clue as to what it really does, as I haven't botted enough to make it think I'm a Bot. However, I think that it can be made useful if there's internet wide scanners who are constantly scanning. CloudFlare's Threat Intel feeds will hopefully block or restrict those IP addresses and make it harder for those services to access your infrastructure.
Whitelisting CloudFlare on your Redirectors or Servers
To ensure that our origin doesn't get discovered, or directly attacked by the Blue Team, or the Cyber Threat Intelligence community, it is best to whitelist CloudFlare and block access to your origin server from any other locations. To do this, we can utilize iptables rules to allow only CloudFlare IP Address Ranges to TCP port 80 and 443.
TLDR: Use iptables to whitelist CloudFlare IP Address Ranges and default deny everything else.
IPTables Commands to Whitelist CloudFlare - only
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
Further Ideas
Community driven effort to identify IP address ranges used by various CTI providers.
Automatically block connections from Brand Protection related providers because many organizations are using these solutions. If the CTI provider cannot even load the webpage, perhaps there's less chance of a domain takedown.