PfSense trying shady connections?
-
Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code…
The iNerd, coming soon from Apple! ;D
-
So this feel good tool your running on your router that says it blocks stuff to bad places.. It doesn't even list what port it blocked??
-
So this feel good tool your running on your router that says it blocks stuff to bad places.. It doesn't even list what port it blocked??
Erm… Nope. I'd hope it says something more in the logs, but the record was already out of it. I'll get a request blocked when I'm home, to see if it gets there. Keep in mind it's not the standard router firewall
-
If it does not list the port the traffic is going to to its completely pointless to even log it as blocked.. And if they are blocking the netblocks that the root servers are on that is a huge problem.. I would open a ticket with them about that for sure.
-
Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code…
Really? :)
-
If it does not list the port the traffic is going to to its completely pointless to even log it as blocked.. And if they are blocking the netblocks that the root servers are on that is a huge problem.. I would open a ticket with them about that for sure.
Ok so the connection doesn't get logged on syslog, seems like the AiProtection is just entirely separate. I'll look into opening the ticket or opening a pull request for the port to be added to the mailed details. Meanwhile I found the IP mentioned in other threads on this forum and on twitter and google, saying it's a botnet sinkhole, even if the posts are quite old. Still not convinced they're not bad , even if it's not pfSense fault :P
Edit: took a look at merlinwrt sources, seems like that part comes from a precompiled module, so pull request is a no-go
-
A botnet sink running on a TLD root server? That's an interesting thought, and a bit frightening. That hostname is queried millions of times a day to find .org domain name servers, and if it's compromised… that's not a happy thought. (Yes, my own configuration returned that server as an .org TLD server.. and I have DNSSEC enabled and active.)
It really makes you wonder just how fragile the whole thing could be...
-
A botnet sink running on a TLD root server? That's an interesting thought, and a bit frightening. That hostname is queried millions of times a day to find .org domain name servers, and if it's compromised… that's not a happy thought. (Yes, my own configuration returned that server as an .org TLD server.. and I have DNSSEC enabled and active.)
It really makes you wonder just how fragile the whole thing could be...
I don't know what to say at this point… :-
I tried the other afilias ips on trend micro web reputation, they're untested. Anything else we can do to verify/disprove? -
@KOM:
Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code…
The iNerd, coming soon from Apple! ;D
Next time i will be more visceral and provide a horrific pic to support my thoughts :) s/inerds/innards/
ps - This is not a spelling bee… :P -
http://www.urbandictionary.com/define.php?term=iNerd
-
@campusantu:
A botnet sink running on a TLD root server? That's an interesting thought, and a bit frightening. That hostname is queried millions of times a day to find .org domain name servers, and if it's compromised… that's not a happy thought. (Yes, my own configuration returned that server as an .org TLD server.. and I have DNSSEC enabled and active.)
It really makes you wonder just how fragile the whole thing could be...
I don't know what to say at this point… :-
I tried the other afilias ips on trend micro web reputation, they're untested. Anything else we can do to verify/disprove?I am going out on a strong limb and say that these are False Positives…
I have checked over 50 different Blocklists and the IP reputation is fine... Except for what TrendMicro is reporting. However, their site seems to be URL based and not IP based... Will never know as the details about the service is slim to none...Food for thought:
https://www.asus.com/ca-en/Networking/RT-AC5300/
https://www.reddit.com/r/privacy/comments/3vxg07/does_trend_micro_steal_web_browsing_history/
https://twitter.com/flexhub/status/587315109992800257You might want to tweet to the Dev of Asuswrt-Merlin:
https://twitter.com/RMerlinDevThe github branch for Asuswrt-Merlin if you are interested:
https://github.com/RMerl/asuswrt-merlin/search?p=1&q=AiProtection&utf8=%E2%9C%93Trend Micro has yet to reply about the FP... I am not a customer of theirs, so best left in your court.
https://twitter.com/BBcan177/status/770737622121611268 -
This is not a spelling bee…
I was just having some fun. You know I still love you ;D
-
@KOM:
This is not a spelling bee…
I was just having some fun. You know I still love you ;D
Hehe…. me too... 8)
-
I am going out on a strong limb and say that these are False Positives…
I have checked over 50 different Blocklists and the IP reputation is fine... Except for what TrendMicro is reporting. However, their site seems to be URL based and not IP based... Will never know as the details about the service is slim to none...Food for thought:
https://www.asus.com/ca-en/Networking/RT-AC5300/
https://www.reddit.com/r/privacy/comments/3vxg07/does_trend_micro_steal_web_browsing_history/
https://twitter.com/flexhub/status/587315109992800257You might want to tweet to the Dev of Asuswrt-Merlin:
https://twitter.com/RMerlinDevThe github branch for Asuswrt-Merlin if you are interested:
https://github.com/RMerl/asuswrt-merlin/search?p=1&q=AiProtection&utf8=%E2%9C%93Trend Micro has yet to reply about the FP... I am not a customer of theirs, so best left in your court.
https://twitter.com/BBcan177/status/770737622121611268Didn't get the reason behind the RT-AC5300 link, read all the others. Well, to be honest that's what any web reputation system does, so one can choose either to use it or not. I saw your tweet and bump, seems to go unnoticed :-
As per pfSense I guess I'll be playing with it a little more before deciding, might as well use it between my physical LAN and my VMs to try it out.
Thanks for the help -
This post is deleted!
