“Foghorn” takes users out of phish-fighting with DNS “greylisting”

Prototype security tool stops clicks on bad links, blocking DNS lookup for 24 hours.

Sean Gallagher – Sep 1, 2016 4:50 pm | 46

Go ahead and click it. You know you want to.

Clickers gonna click. Despite mandatory corporate training, general security awareness, and constant harping about the risks of clicking on unverified links in e-mails and other documents, people have been, are now, and forever will click links where exploit kits and malware lurk. It’s simply too easy with the slightest amount of targeted work to convince users to click.

Eric Rand and Nik Labelle believe they have an answer to this problem—an answer that could potentially derail not just phishing attacks but other manner of malware as well. Instead of relying on the intelligence of users, Rand and Labele have been working on software that takes humans completely out of the loop in phishing defense by giving clicks on previously unseen domains a time out, “greylisting” them for 24 hours by default. The software, a project called Foghorn, does this by intercepting requests made to the Domain Name Service (DNS).

Greylisting has been used in spam filtering for e-mails, where it deliberately delays e-mails delivered from previously unseen sources and sends temporary errors back to the sender for a few minutes or hours. Spam greylisting operates under the assumption that a real mail server will re-attempt delivery, while spambots likely will not.

Foghorn applies the same approach to unseen domain names, but it does so for a different reason: many of the domains behind phishing attacks are active for less than 24 hours before they’re rotated to another domain, according to an Anti-Phishing Working Group survey. As Rand said in his presentation about Foghorn at DefCon, “Lots of people are very invested in taking [phishing domains] down quickly, so phishers have to keep moving.” By delaying the availability of previously unseen domains, the likelihood of users getting phished could be significantly reduced. Plus, known good domains can always be whitelisted. Additionally, greylisting domains can cut off the command and control for botnet malware that may have already infected systems on the network, since many botnets use random domain generation algorithms to evade detection and change the domains they access frequently—sometimes in as little as hours or minutes.

Foghorn is a proof-of-concept prototype DNS greylisting system. Built with Python and the Twisted event-driven networking engine, Foghorn acts as a DNS proxy, filtering outbound DNS requests from devices on a local network. Before being activated, it can be set in “baselining” mode to collect a list of domains typically visited by users on the systems to be protected—these can be “whitelisted” to ensure that they’re always reachable.

According to Rand’s whitepaper describing the project, after Foghorn is activated, “when a workstation attempts to fetch a DNS record not previously seen on the network, the greylister will initially resolve that domain to some locally-controlled asset rather than allowing the request to complete; after some timeout period, the request will then resolve as normal.” If a domain isn’t requested again within a certain amount of time—by default, seven days—Foghorn resets it for greylisting again. This is intended to protect against phishes from previously safe domains that might get hijacked when they expire.

The sites that get greylisted also get recorded in logs by Foghorn, and those logs can be used by a security information and event management (SIEM) system or other security tools to alert administrators to potential attacks (while also identifying which users clicked on them).

Foghorn is still very much a work in progress. It currently only handles requests for “A” records—records in the DNS listing for a domain that specify the Internet Protocol address associated with a particular name. (Update: Foghorn also now handles AAAA records for IPv6 addresses.) It also doesn’t catch requests to specific IP addresses instead of domain names, so links that use an IP address instead of a hostname will slip past unless an HTTP proxy blocks them. The approach may not be a good fit for some people, too. But given the cost (and futility) of phishing training, Foghorn may be a great idea for smaller businesses—and you may want to set it up on your parents’ home network while you’re at it.