topic Re: Old spyware signatures are not sinkholed in General Topics

Old spyware signatures are not sinkholed

SThatipelly — Thu, 09 Aug 2018 18:30:10 GMT

I have dns sinkhole in place but the issue here is firewall is not stopping dns resolutions of old spyware(previous dynamic update version) sihgnatures/domains at dns level. Palo threat databse shows the domain as malware but no sinkhole action is taking place. Is this a known behaviour?

Re: Old spyware signatures are not sinkholed

BPry — Thu, 09 Aug 2018 20:07:43 GMT

@SThatipelly,

As long as it's still listed on threatvault you should still be seeing the request get sinkholed.

Re: Old spyware signatures are not sinkholed

SThatipelly — Thu, 09 Aug 2018 20:09:17 GMT

Thank you. But I am not seeing them. That is the issue. I may create a support cae.

Thanks.

Re: Old spyware signatures are not sinkholed

Remo — Thu, 09 Aug 2018 20:43:55 GMT

@SThatipelly

Is this particular domain listed as DNS signature or "only" as malware URL category? If its the latter one, then this is actually "expected behaviour" because only a small percentage of malware domains are available as DNS signature. This is simply because the DNS signatures are far more static than the URL categories where the firewall is able to do a cloud lookup of an URL. Technically this would also be possible for DNS entries, but so far this isn't implemented this way.

Re: Old spyware signatures are not sinkholed

BPry — Thu, 09 Aug 2018 20:45:57 GMT

@Remo,

That's a really good distinction to make. If it isn't listed as an actual signature then this is fully expected behaviour.

Re: Old spyware signatures are not sinkholed

SThatipelly — Thu, 09 Aug 2018 20:48:43 GMT

Thank you so much for the detailed explanantion.

I tested 2 domains. veedookij.tk and aol.cm

They both are listed as malware but only the first one is being resolved to sinkhole IP. I don't see any logic here.

**aol.cm used to resolve to sinkhole IP 2-3 weeks ago. I assume all signatures timeout after some specific timeperiod?

Re: Old spyware signatures are not sinkholed

Remo — Thu, 09 Aug 2018 21:02:11 GMT

@SThatipelly

This I don't know exactly, but I assume it is something like you wrote (that the signatures time out) and probably also that paloalto makes the most dangerous domains available as DNS signature. As I wrote there is no cloud lookup for these so the capacity is limited. Specially when users can also configure their own domain EDL, the firewall will get to a point where the performance is affected when the firewall has to check hundreds of thousands entries for every DNS request. The cloud obviously scales a lot better with the URL database than a local one.

Re: Old spyware signatures are not sinkholed

SThatipelly — Fri, 10 Aug 2018 12:42:17 GMT

I agree about the performance but this for me, seems to be a major hole in security because my DNS sinkhole report omits all those old malicious connection requests(if any)

Re: Old spyware signatures are not sinkholed

Remo — Fri, 10 Aug 2018 13:00:26 GMT

Unfortunately thats how it works right now. You could create a feature request for this DNS sinkhole cloud enhancement ...

Or build something similar on your internal DNS server where you sinkhole alle the public lists of malware domains... I know, not really what your looking for...