Blocking punycode URLs

Reply

Blocking punycode URLs

We have PA-820's and I have been looking for a way to leverage them to block punycode attacks.  In fact, we'd be pretty OK with blocking punycode URLs altogether.  I just haven't been able to puzzle out a way to do it.  If I add xn--* to the URL filter block list, it complains that I have multiple wildcards.  If it add just xn-- the firewall accepts it, but it just doesn't work, nothing is blocked.  It was the same result when I tried to create a custom URL category.  Is this something that can even be done at the firewall level, or should I look to address this on the DNS side?

Tags (1)
L7 Applicator

Re: Blocking punycode URLs

Hello,

I am going to assume this is for outbound traffic. If yes then there are several things to do in conjunction.

In your Vulnerability profile, enable DNSSink hole. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0

 

Next I would block by web category, blocking the obvious bad stuff.

abused-drugs, adult, alcohol-tobacco, command and control, copyright-infingment, crypto-currency, dynamic-dns, hacking, high-risk, insufficient-content, malware, medium-risk, newly-registered-domin, not-resolved, parked, phishing, private-ip-address, proxy avoidance and anonymizers, questionable, shareware and freeware, unknown, web-advertisements

 

Externally have only your DNS servers be able to go our and get external DNS requests. Also use a secure service such as OpenDNS, cloudflare, Quad9, etc. And block the end users from exiting your environment over DNS externally.

 

Setup external dynamic lists, along with the PAN builtin ones, i have the following setup.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/use-an-external-dynamic-list-in-pol...

Source on PAN support:

https://live.paloaltonetworks.com/message/54183#54183

 

Sans notes on this:

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall...

 

Others listed on this site:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/

http://cinsscore.com/list/ci-badguys.txt

 

Make sure you are performing SSL decrypt to ensure you are seeing the traffic.

 

This should get you started and not having to use a wildcard to block everything.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!