Blocking punycode URLs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking punycode URLs

L0 Member

We have PA-820's and I have been looking for a way to leverage them to block punycode attacks.  In fact, we'd be pretty OK with blocking punycode URLs altogether.  I just haven't been able to puzzle out a way to do it.  If I add xn--* to the URL filter block list, it complains that I have multiple wildcards.  If it add just xn-- the firewall accepts it, but it just doesn't work, nothing is blocked.  It was the same result when I tried to create a custom URL category.  Is this something that can even be done at the firewall level, or should I look to address this on the DNS side?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

I am going to assume this is for outbound traffic. If yes then there are several things to do in conjunction.

In your Vulnerability profile, enable DNSSink hole. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0

 

Next I would block by web category, blocking the obvious bad stuff.

abused-drugs, adult, alcohol-tobacco, command and control, copyright-infingment, crypto-currency, dynamic-dns, hacking, high-risk, insufficient-content, malware, medium-risk, newly-registered-domin, not-resolved, parked, phishing, private-ip-address, proxy avoidance and anonymizers, questionable, shareware and freeware, unknown, web-advertisements

 

Externally have only your DNS servers be able to go our and get external DNS requests. Also use a secure service such as OpenDNS, cloudflare, Quad9, etc. And block the end users from exiting your environment over DNS externally.

 

Setup external dynamic lists, along with the PAN builtin ones, i have the following setup.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/use-an-external-dynamic-list-in-pol...

Source on PAN support:

https://live.paloaltonetworks.com/message/54183#54183

 

Sans notes on this:

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall...

 

Others listed on this site:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/

http://cinsscore.com/list/ci-badguys.txt

 

Make sure you are performing SSL decrypt to ensure you are seeing the traffic.

 

This should get you started and not having to use a wildcard to block everything.

 

Regards,

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

Hello,

I am going to assume this is for outbound traffic. If yes then there are several things to do in conjunction.

In your Vulnerability profile, enable DNSSink hole. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0

 

Next I would block by web category, blocking the obvious bad stuff.

abused-drugs, adult, alcohol-tobacco, command and control, copyright-infingment, crypto-currency, dynamic-dns, hacking, high-risk, insufficient-content, malware, medium-risk, newly-registered-domin, not-resolved, parked, phishing, private-ip-address, proxy avoidance and anonymizers, questionable, shareware and freeware, unknown, web-advertisements

 

Externally have only your DNS servers be able to go our and get external DNS requests. Also use a secure service such as OpenDNS, cloudflare, Quad9, etc. And block the end users from exiting your environment over DNS externally.

 

Setup external dynamic lists, along with the PAN builtin ones, i have the following setup.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/use-an-external-dynamic-list-in-pol...

Source on PAN support:

https://live.paloaltonetworks.com/message/54183#54183

 

Sans notes on this:

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall...

 

Others listed on this site:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/

http://cinsscore.com/list/ci-badguys.txt

 

Make sure you are performing SSL decrypt to ensure you are seeing the traffic.

 

This should get you started and not having to use a wildcard to block everything.

 

Regards,

  • 1 accepted solution
  • 2730 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!