Expired

XII. Firewall/Security Features

Expired

Blocking "Punycode" phishing / spoofing attacks with DrayTek CSM

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2763
Show all

Keywords:
csm
dns
filtering
https
Show all

Blocking "Punycode" phishing / spoofing attacks with DrayTek CSM

Background Information

The Internet was originally designed for use in English, using Latin characters in ASCII format (a-z, A-Z, 0-9 and some other common characters). Displaying the letters of other languages, such as Chinese or Arabic, is not possible using a normal URL, because URLs can only contain ASCII characters. Unicode is an expanded character set that can display these characters but cannot be used in URLs without significantly changing how the Internet and URLs work.

Punycode (RFC 3492) is used to display Unicode characters in a URL so that users in countries with languages that use non-Latin characters can use the Internet in their native language.

Web browsers are designed to display URLs constructed in the Punycode format with the Unicode characters they represent, rather than the low-level Punycode format of URLs starting with "xn--".

The term "Phishing" refers to an attempt to trick users into entering sensitive information, such as credentials or financial information on a webpage pretending to be another, legitimate website such as an online bank. Users can typically check the URL of the website and possibly its HTTPS certificate to verify that website is legitimate or not.


Punycode Phishing Example

Unicode and therefore Punycode, can also display normal Latin characters through Unicode. Because of this, Punycode URLs can be constructed to display a website URL that appears as though it's a normal ASCII / Latin character set URL, potentially displaying the same URL as the legitimate site that it's copying.

For an example, the URL "www.xn--80ak6aa92e.com" may be displayed by a web browser as "www.apple.com".

Potentially, a user could be presented with what appears to be a legimate URL but would be accessing a fake website, increasing the likelihood of phishing or spoofing attacks.


This risk can be mitigated on DrayTek Vigor routers by blocking the use of Punycode - this is achieved by blocking the DNS resolution of Punycode URLs.

Please be aware that blocking the use of Punycode URLs will block access to websites that are accessed exclusively through a Punycode-encoded URL.

Implementation

In this example, access to Punycode-encoded URLs will be blocked using the URL Content Filter blocking the keyword of "xn--", which will block HTTP access, then the DNS Filter will be used to apply the URL Content Filter for HTTPS or non-HTTP traffic.

This can be applied either to the entire network using the Default Rule, or it can be applied using Firewall Filter rules - using a filter rule makes it possible to apply the DNS filtering to specific network segments.

There are two types of DNS Filtering on the router:
The DNS filter applied through the firewall has multiple profiles and filters all external DNS access.
The DNS Filter Local Setting filters DNS lookups that use the router IP as the DNS server.

This guide will cover the configuration of both as it is recommended to configure both types of filter to ensure effective DNS filtering.


To set this up, it's necessary to configure the keyword to block first of all, go to [Objects Setting] > [Keyword Object]. To configure a keyword, select a profile index number by clicking on the number:

Give the Keyword Object a suitable name and set the Contents field as "xn--". That's xn with two hyphens:

Click OK to save the keyword object.


Go to [CSM] > [URL Content Filter Profile] and select an un-used profile by clicking the number link i.e. "1." to go into the profile:

Give the profile a suitable name and set it up as shown:

  • Priority: Either: URL Access Control First
  • Tick Enable URL Access Control
  • Set the Action to Block
  • Click Edit to set the Keywords that are applied in the URL Content Filter, which will pop-up a window to select which Keyword Objects or Keyword Groups will be used. Select the "punycode" object and click OK to select it in the URL Content Filter profile.

Click OK on the URL Content Filter Profile to save that profile.


With the URL Content Filter Profile configured, the DNS Filter Local Setting can now be configured, go to [CSM] > [DNS Filter]. On there, enable the filter and select the URL Content Filter profile to apply using the DNS Filter. The DNS Filter Local Setting affects filtering on the router's DNS server i.e. if a client uses the router IP as the DNS server, the DNS Filter Local Setting needs to be configured.

  • Enable the DNS Filter
  • For the UCF option, Select the URL Content Filter profile that was just created

Click OK to save that then go into one of the DNS Filter profiles in the DNS Filter Profile Table to set up the filtering that will link to the firewall:

In the profile, give it a suitable name and select the URL Content Filter Profile to use, then click OK:


The DNS Filter and URL Content Filter can now be linked to the firewall and there are two different methods for applying this:

Default Rule

The default rule CSM settings will affect the whole network, it is possible to make exemptions from this or set up other CSM profiles through the use of a filter rule.

Enforcing the Punycode-encoded URL block is configured from [Firewall] > [General Setup], on the Default Rule tab. On there, select the "Punycode" entries just created for the URL Content Filter Profile and DNS Filter then click OK.

Filter Rule

Filter rules can be used to apply CSM to specific network segments i.e. a guest network on 192.168.3.x. They can also be used to make exemptions to CSM filter settings configured in the Default Rule, or apply a different profile to a specific network segment while applying CSM using the Default Rule.

To set the URL Content Filter and DNS Filter in a filter rule, go to [Firewall] > [Filter Setup], on there, select 2. Default Data Filter by clicking the "2." link and select the first unused rule in that filter set by clicking the button for the filter rule. In the filter rule, configure the schedule settings (if required), the Source IP (to control which network segment / IP it applies to), leave the Action set to Pass Immediately or Pass If No Further Match then select the URL Content Filter Profile and DNS Filter Profile entries for Punycode-encoded URLs to apply the block. Click OK and the filter rule will take effect immediately


The DNS Filter will now monitor DNS queries going through the router to check whether the hostname matches the keywords being blocked by the URL Content Filter.

When attempting to access a Punycode-encoded URL, the router will intercept the DNS request, determine that it starts with "xn--" and block access to the URL for both encrypted and un-encrypted connection attempts.

Below is an example of the block page that the router will display when accessing a blocked site:

The message shown can be customised on the [CSM] > [DNS Filter Profile] page.

This message will only be shown when accessing a website via HTTP (unencrypted). When websites are accessed over HTTPS, the web browser will typically display a certificate error; the block page can be viewed by bypassing the certificate error warning.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1