4 Replies Latest reply on Jul 19, 2016 9:45 PM by Regis

    Does MWG make this silly mistake anywhere that Bluecoat did?


      Apparently Bluecoat web proxies really stepped into some siliness by leveraging reverse DNS requests  (PTR records are attacker-controlled) ... to impute domain names for certain whitelisting policy elements.   Details here

      https://bto.bluecoat.com/security-advisory/sa130 which includes "HTTP and HTTPS requests that result in an RDNS lookup may, under certain circumstances, cause the policy rules matched to be those associated with the hostname returned by RDNS rather than the server IP address. This may prevent the policy from enforcing security controls, such as blocking the request, requiring user authentication, or performing payload scanning.  ProxySG and ASG appliances are vulnerable when deployed as a forward proxy, reverse proxy, or web application firewall (WAF)."

      So if you're an attacker, send a numeric IP address URL in your spam campaign,   publish a PTR record saying "yeah, my IP is a reverse for www.webex.com"  .. and for someone with that in a whitelist somewhere,  congratulations, you've bypassed a lot of proxy policy if you're a Bluecoat customer with an affected product and webex.com on any whitelists.   

      Can someone reassure me that no common elements of MWG policy primitives make this same silly mistake of trusting attacker-supplied RDNS info?

        • 1. Re: Does MWG make this silly mistake anywhere that Bluecoat did?
          Jon Scholten

          Hi Regis,


          There isnt anything in MWG that would bypass as much as you mentioned above (by default).


          The only thing that MWG uses reverse DNS for is categorization when we receive an unrated IP. We then lookup the category and reputation based on the reverse DNS results. This is used only as a down selector and can be disabled easily.



          Customers can use the property DNS.Lookup.Reverse(URL.Destination.IP). This would return a list of hostnames returned from the reverse lookup. You could then compare that list against another list for whitelisting purposes. However this is infrequently used in my experience.


          Let me know if that helps.


          Best Regards,


          • 2. Re: Does MWG make this silly mistake anywhere that Bluecoat did?

            Thanks for this very useful info, Jon.


            If one were to turn off that reverse lookup...   you avoid the attack outline (spammer fakes an RDNS entry on an IP they control), and have you given up as an administrator...  anything?    Is there a down side?  Sure, categorization of legit IP's  reverse hostnames, but is the worst of that just possibly blocking more traffic based on that?


            In this context,  can you define what is meant by an "Unrated IP-based url"


            Are we talking about categorization, IP reputation,  risk... all these terms kinda smear together still for me and it's an opportunity to really know what's going on.


            Could you go through an example of how policy thinks on this realm?


            Let's take this numeric URL, from an Indian news site:


            URL Status Categorization Reputation
    DNS reverses to an informational hosted-by.reliablesite.net (which does not forward DNS). Categorized URL- Technical Information

            Minimal Risk


            Would the handling of these modulate if I unchecked that box? 

            Note that even though the reverse of  it's hosted-by.reliablesite.net.

            If you forward resolve hosted-by.reliablesite.net  you get nothing.

            It seems, however to have a categorization in Trusted Souce:


               URL Status Categorization Reputation
            http://https://www.trustedsource.org/sources/redirect?r=http%3A%2F%2Fhosted-by.reliable site.net&c=5D0B7CB3AEA7AAF50ACF431E18813D34hosted-by.reliablesite.netCategorized URL- Technical InformationMinimal Risk



            So, suppose I'm a bad guy. I control an IP.  I poof my DNS PTR record to point that IP back to hosted-by.reliablesite.net.


            Q: in what circumstances will MWG consider http://my.badguy.ip.addy/    as   "Technical Information"    ?

            Q:  Will simply unchecking that "Do a backwards DNS lookup" box in policy  and searching policy for references to DNS.Lookup.Reverse(URL.Destination.IP)  put me in the clear from such attacks?

            • 3. Re: Does MWG make this silly mistake anywhere that Bluecoat did?
              Jon Scholten

              Hi Regis!


              To clarify if this is not already understood, everything related to reverse DNS only applies when we receive a request by IP, not by domain name. MWG will not rely on the reverse lookup information if a domain name is given, we would only rely on the result of a forward lookup (another setting in the screenshot above).


              The setting mentioned above relates to categorization and reputation of the given URL. In general they should go hand in hand.


              MWG will evaluate the given URL against the local or cloud database, and if that yields no result, we'll check the other variations of the URL for a result. Using your example, lets say the URL is:


              If that URL is uncategorized, since it's an IP, we will get the DNS name returned, which is "hosted-by.reliablesite.net". The MWG would then evaluate a reverse lookup variation of the URL (based on the setting mentioned above): http://hosted-by.reliablesite.net/blahblahblah


              The URL checker written by Erik Elsasser highlights this functionality pretty well, see screenshot below:


              Speaking to your questions:

              1) MWG would not rely on reverse DNS for a URL like http://my.badguy.ip.addy/  since that is a domain name... unless you really meant to type an IP http://x.x.x.x in which case, if x.x.x.x was uncategorized and the reverse lookup yielded something like hosted-by.reliablesite.net (which is categorized as Technical Information) in the results.

              2) Yes it would. Though this would also be contingent on you using these results to make critical policy decisions. In some cases customers use the DNS.ReverseLookup just to populate a log field.


              Let me know if that helps.


              Best Regards.

              Jon Scholten

              • 4. Re: Does MWG make this silly mistake anywhere that Bluecoat did?

                Excellent thorough reply.  Yes, as you divined, I'd meant that to be interpreted as an http://x.x.x.x ip address url.  I know what I need to do. Thanks much.