Technology FAQ

Technology FAQ

 

What does ThreatSTOP do?

How does ThreatSTOP work?

How can I use ThreatSTOP?

What is special about ThreatSTOP?

What are users asking?

ThreatSTOP blocks network communication with threat actors

ThreatSTOP users create and enforce security policies to block threats, choosing from categories of threat taxonomy, severity, and geographic location. The IPs and domains that comprise policies and their threat categories are continuously updated using threat intelligence developed internally and by The ThreatSTOP platform that aggregates over 50 public, private and paid security intelligence feeds. Users can also add custom block lists and whitelists, where they define and manage addresses their network can and cannot connect to.

Threats are blocked by enforcing policies at an infrastructure layer through native integration with network devices such as Firewalls, Routers, Switches, DNS Servers, and Microsoft's Azure public cloud. Users run the ThreatSTOP service on their existing network hardware, with no additional hardware or software needed.

Inbound and outbound connections are governed by the Shield policy, where users determined if connections should be allowed, blocked at the SYN (first) packet, or other actions such as redirection of a query to a walled garden.

Return to TOC

 

Aggregates threat feed information from many sources and operationalizes it

The ThreatSTOP platform aggregates threat data from numerous authoritative sources in real-time as it is updated, and stores the aggregated data. This dynamic threat data is operationalized by delivering it rapidly to network devices where the data, in the form of lists, can be enforced against inbound and outbound network traffic.

ThreatSTOP leverages patented technology to take threat information and turn it into a set of DNS files that can then be assembled into DNS lookups. These are made available using standard DNS protocols.

ThreatSTOP is an aggregation and delivery platform for any threat intelligence feed, including feeds that are internally generated or sourced by our users.

Return to TOC

 

Updates Firewalls and other traffic management devices with dynamic threat data lists

The ThreatSTOP platform automates propagation of threat data lists of IP addresses and domains as Multi-Host DNS A records, so that Firewalls, Routers, Switches and DNS Servers can use them in rules. This is particularly useful for propagating dynamic lists to multiple network devices, and provides a single point of management. The most common reason for this is to propagate dynamic threat feed information, and customized allow and block lists.

The ThreatSTOP platform currently provides threat data aggregated from more than 50 intelligence sources, including:

The most common use of these lists is to block and log traffic to and from these IP addresses, but they can also be used for redirecting blacklisted users to a remediation server or directing attackers to a honeynet for research.

Return to TOC

 

Centralizes user management of custom allow and deny lists

The ThreatSTOP platform empowers users to create their own custom allow and deny lists. This simplifies and centralizes the management and propagation of block lists and whitelists across multiple devices from different manufacturers.

Custom allow and deny lists can be used to implement a "Deny all except...." security policy, or a "Always allow communications with ...." policy. Other applications of this are an IP-based Closed User Group, or for special traffic handling such as IP wiretapping.

ThreatSTOP's DNS Firewall uses Response Policy Zones (RPZ) to target communications to a specific URL for further action. This allows for traffic handling at the DNS level, instead of IP blocks. It also allows for the creation of Walled Garden security methods, domain denial, and masking.

Return to TOC

 

Archives Logs

Logs submitted to ThreatSTOP are archived and, in conjunction with our included web-based reporting, allows for observation of network traffic and provides for more efficient remediation of threats.

Return to TOC

 

Provides Enhanced Reports

The ThreatSTOP Intelligence Reports provide information in a manner that is easier to understand and work with than typical firewall logs, and provides a consolidated view into network traffic logs across multiple devices from different manufacturers.

Reports available through the ThreatSTOP platform correlate network device log entries with current and historical threat data, allowing users to characterize what type of entity was blocked. ThreatSTOP intelligence reports provide valuable insight into blocked threats to understand details such as threat type, severity, and potentially infected hosts in need of remediation.

Return to TOC

 

Builds on the Community Approach started by DShield

ThreatSTOP's roots can be traced to the collaboration between the founder of DShield, Johannes Ullrich, and two friends from the US Army, Marc Sachs and Tom Byrnes. It was originally created to close the loop, by making the data produced through the submission of firewall log data to DShield by the DShield community easily actionable. ThreatSTOP will continue to build this community, submitting data received from our users to DShield, and empowering users by operationalizing DShield feeds.

Return to TOC

 

Gathers data using HTTP, FTP, RSS and other methods

ThreatSTOP takes threat data that is published on the Internet&emdash;and by trust groups&emdash;using standard Internet Protocols, gathers the data as it is updated, parses it, and puts it into a database. The database identifies the source, time of publication, IP address, and any additional reputation information that may be available in the feed. That data is combined with threat intelligence generated by ThreatSTOP's security research team. In aggregate, this data forms the threat intelligence foundation of the ThreatSTOP platform, enabling users to create customized security policies and benefit from powerful reporting data about their network traffic.

Return to TOC

 

Turns Data into DNS files

Every two hours (currently, we set the update frequency to be 1/2 the update period of our feeds) The ThreatSTOP platform creates a set of files that can be used to create DNS lookups. Customer changes to policies and devices are propagated every 15 minutes.

Return to TOC

 

Creates DNS lookups

ThreatSTOP takes the DNS files and assembles them into basic and advanced lookups. These files are then loaded into a DNS server, and made available to authorized hosts.

The client machines query the zones they have configured in rules, using TCP lookups for larger lists, and take the actions that the firewall administrator or security team has programmed for the hosts in those lists.

Return to TOC

 

Secures the Nameservers

ThreatSTOP uses Domain Name System Security Extensions (DNSSEC) and Access Control Lists (ACL) to ensure that only subscribers are permitted access to their content. Basic users only have access to the basic zones, and only the devices configured by a particular user have access to the zones created by that user. Users cannot see or modify another user's custom zone, allow, or deny lists.

Return to TOC

 

Gathers log data

Using either e-mail, or the web upload form on our SSL secured UI, ThreatSTOP can gather log data from a broad base of users, earmark the firewall it came from, and load the data into a database where it can be analyzed and reported on.

Return to TOC

 

Generates Reports

Automated reporting available in the portal provides at-a-glance analysis of data gathered by network devices. This data can then be sorted by:

  • Date range
  • Source and Destination IP
  • Threat Type
  • Threat Source

This allows for expedited remediation of threats to sensitive data, as well as providing a visual assessment of detected threats and the action taken against them.

Return to TOC

 

Managed via the web

Users manage their feeds, subscriptions, and devices using an SSL secured website. This allows multiple devices to have specialized policies controlled from a single interface, instead of needing to access each device directly. This results in a higher level of productivity for Security and Operations teams, and a centralized platform from which security policies can be customized and expedited to a broad range of network devices.

Return to TOC

 

Parses data and submits to DShield

ThreatSTOP believes it is vital to give back to the security community. By parsing data into DShield format and bulk submitting it to DShield, it contributes to better anticipation of and defense against attacks. For users who are DShield contributors, or who would like to be, we allow the creation of a free Community Account, which will parse log data and submit it to DShield. Submissions to DShield are anonymized to remove the internal and public IP ranges.

Return to TOC

 

Identify existing network devices that are compatible with ThreatSTOP

ThreatSTOP can be used with any device that can use a forward DNS (standard) lookup in a rule. There is no special software or hardware required. This basic requirement means ThreatSTOP is compatible with the vast majority of network devices, ranging from Firewalls and Routers, to DNS Servers.

ThreatSTOP requires a fully RFC-compliant resolver, since the longer lists require TCP queries to propagate. The longer lists are broken into multiple lookups of 4000 hosts each, so in order to fully use ThreatSTOP, the system needs to be able to handle lookups of up to 4000 IPs per FQDN. Any resolver based on recent and current GNU, ISC or BSD resolver libraries has this capability.

ThreatSTOP is a pull, not a push, service. We make the DNS lookups available, but users must resolve and load them into their devices. Many devices do this automatically, based on the TTL of the DNS lookup, while others need to be told to flush and reload DNS periodically or require a script and a cron job.

ThreatSTOP secures its DNS infrastructure using ACLs that only allow configured devices to access our nameservers and devices configured in an advanced user's account to access their lists. As a result, ThreatSTOP needs to know the IP address that the queries will be coming from. If a user has a dynamic IP address, they will need to periodically update their configured IP address.

Return to TOC

 

Subscribe

ThreatSTOP is a subscription based service. To sign up for an account or to try the service as a free trial simply complete and submit this webform. The paid service allows for the creation of an account with access to our full suite of threat data across multiple devices. There is a Community account available free-of-charge, however these Community accounts are limited to access to our DShield threat list and the use of a single device.

Return to TOC

 

Configure Devices on ThreatSTOP

To configure devices for the ThreatSTOP platform:

  1. Select the manufacturer and model number of any network devices.
  2. Enter the IP addresses of the devices.
  3. Select the feeds to use (multiple feeds are available to Server Message Block (SMB) and Enterprise subscribers).
  4. Configure any custom allow or deny lists.
Return to TOC

 

Configure the firewall

When configuring a device, users are given custom instructions for their specific firewall. The basic steps consist of:

  1. Making a user's firewall resolve the threatstop.local domain using our nameservers. The easiest way to do this is make our nameserver primary for your firewall. ThreatSTOP will complete the recursive queries for the user.
  2. Configure user's rules to use the lookups, specifying the action you want to take. This is covered in more detail in the help section of our UI.
  3. Make any configuration changes or cron jobs necessary to have the device reload the lists every two hours, if the device doesn't reload on TTL expiration.
  4. Configure firewalls to send ThreatSTOP the logs.
Return to TOC

 

Submit your logs

The easiest way to do this is via e-mail, using the automatic feature of your firewall or a cron job, to @logs.threatstop.com. Alternatively, for some firewalls you may run a script that automatically uploads them via https (SSL) to our servers. However, if neither option works, you can always submit logs using the web interface once you have logged in to your customer area at https://threatstop.com/.

ThreatSTOP uses the logs to develop additional, timely, threat feeds, and show users what lists the IPs blocked by the firewall and where they came from.

Return to TOC

 

Patented use of DNS

ThreatSTOP provides sets of forward lookups where the NAME of the lookup is the reputation assigned to it. Unlike a traditional Realtime Blackhole Lists (RBL), this lookup can be used directly in routing decisions. There is no need to reverse the quads, append the zone, and then interpret the measure of "badness" of the number that comes back. This seemingly simple idea is actually non-trivial to implement, due to limitations in the current nameservers. Also, it is only recently that firewalls have been powerful enough to compare connections to thousands of IP addresses without overwhelming the RAM and CPU.

ThreatSTOP holds patents on these methods, which are distinctly different from the current RBL method of disseminating threat intelligence.

Return to TOC

 

Do I have to make ThreatSTOP my primary DNS?

No, that is simply the easiest configuration. As long as your devices resolve the domain threatstop.local and its subdomains using our servers, the service will work.
One of the easiest ways to use ThreatSTOP is to make our DNS servers a forwarder for the zone threatstop.local on the user's DNS servers, and leave everything else in the nameservers the same. Just make sure to register whatever IP address the DNS queries come from as the target device.

Alternative methods include doing a sub-delegation from whatever nameserver being used, or making the ThreatSTOP servers forwarders. All these methods will require that the user configure the IP address of their nameservers (or whatever they are NATed to) as the "device" in our service.

Return to TOC

 

Can user nameservers query the ThreatSTOP nameservers?

Yes, as long as the IP address the queries come from is configured as the device in the user's account.

Return to TOC

 

What format should users send their logs in?

ThreatSTOP is constantly working on parsing new formats, for which we need example logs. DShield format is obviously preferred however, we will accept any format. Our parsers will automatically parse and modify the logs into a homogenous format for processing.

Return to TOC

 

How often do you update the feeds?

Every two hours. If a user's firewall doesn't automatically perform a lookup on expiration of TTL, then the user will need to instruct the device to fetch the updated lists, via configuration or by using a cron job.

Return to TOC

 

IP v.x.y.z is in the feed, but I want to talk to it!

The ThreatSTOP platform provides the ability to easily create and manage user-defined whitelists as part of a security policy. If the user is an advanced customer, they can add the IP/range to their custom allow list. Basic subscribers, need to create a rule that has higher priority than our block list to allow the traffic. Users can also contact the data provider, such as DShield, to request that the IP be removed.

One reason why a particular IP address is blocked is because it is used by multiple servers or virtual hosts, one of which has been compromised. While it is likely that the one compromised virtual host is not going to infect others, if the hosting company/users have not correctly implemented their security system, then the compromise may well spread.

Users can discover why a host is in our list using the Check IP Address tool.

Return to TOC

 

My firewall isn't listed, can I use ThreatSTOP?

ThreatSTOP supports the majority of firewalls and network devices available on the market. However, if a device is not listed as a supported model ThreatSTOP will still likely be compatible in most cases. As long as the firewall, its management station, or any computer a script can be run on and can configure that firewall from, has a DNS resolver that works, it can use ThreatSTOP.

Return to TOC

 

How is ThreatSTOP different from OpenDNS?

ThreatSTOP does not change what real names on the Internet resolve to, which is how OpenDNS works. We propagate private (local) names that express the reputation that the data provider assigns to the IP address. This has several advantages over OpenDNS.

  1. OpenDNS is a one-size-fits-all system. If a URL is redirected by OpenDNS, it is redirected for everyone. ThreatSTOP allows the user to decide what to do with a given IP address list, and for our advanced customers, allows the user to decide which lists of IPs to use.
  2. ThreatSTOP can be used for inbound and outbound connection blocking, as well as other traffic routing decisions.
  3. ThreatSTOP doesn't require that all user clients resolve all their names through our service. It doesn't even require that your firewalls do, as long as they resolve threatstop.local through it. As a result, it changes the configuration of fewer devices.
  4. ThreatSTOP is not subject to the problem of a system bypassing protection by statically configuring nameservers. Even systems using alternate DNS providers are subject to the rules, if their traffic goes through your firewall.
  5. ThreatSTOP protects against connections to numeric IP addresses used in phishing attacks OpenDNS does not provide this level of protection.
  6. ThreatSTOP users can easily and rapidly manage whitelists and user-defined block lists to determine which addresses their networks can or cannot connect to. OpenDNS requires reclassification requests and waiting for a third party to implement the changes.
Return to TOC

 

Is adding ThreatSTOP's nameservers to a user's list of resolvers enough to make it work?

No, if the user is not specifically configuring their firewalls to use ThreatSTOP as a primary or authoritative DNS for threatstop.local, lookups will fail. There are no NS records in the public Internet for .local, and there never will be. This is by design.

Return to TOC

 

I have an IDS and use its alerts to put blocks in my firewall, why do I need ThreatSTOP?

ThreatSTOP isn't a replacement for your Intrusion Detection System (IDS), but a service that helps protect against unknown attacks by blocking communication with IPs and domains used by attackers. Unknown attacks and dangerous SPAM are frequently first detected by DShield/Internet Storm Center, Spamhaus, a number of other feeds aggregated on our platform. ThreatSTOP offloads IDS and SPAM filters by blocking the worst malware, bots, and spammers before they reach the network. This eliminates wasted time, and effort (in terms of CPU, bandwidth, etc) with costly defenses, like signature matching and RBL at the MTA.

Taking IDS alerts and using the sources in block lists can be effective, as long as users are vigilant about false positives. However, an IDS can only protect against known attacks, for which there are signatures, or attacks that are similar in nature. And IDSes offer not protection against SPAM.

Return to TOC

 

Is ThreatSTOP useful for networks without servers?

For organizations that do not allow any inbound connections to their network, any tool that blocks connections from attackers, like an IDS or ThreatSTOP, may appear to not be useful. The difference is that ThreatSTOP can block OUTBOUND connections to the systems on lists. The systems listed are, in general, compromised by threat actors, and access should be blocked. In some cases, in particular systems that appear on the DShield lists, can be malware seed sites, or bot masters. As a result, you will gain some measure of additional protection from using ThreatSTOP.

Return to TOC

 

How can an IP get removed from ThreatSTOP data feeds?

ThreatSTOP does not generate data feeds. We aggregate information from a broad range of threat data sources, and make it available in a format that can be used to make a routing decision.

If an IP is potentially being blocked incorrectly, users can discover why a host is in our list using the Check IP Address tool. The data provider should then be contacted with a request to correct any errors.

Return to TOC

 

How do I contact you?

Return to TOC

 

Does ThreatSTOP make changes to my network devices?

All changes to firewalls and other network devices are made by the user, and only the user controls what lists are used, when they are updated, and what is done with any traffic identified as potentially malicious. Users also control the timing, method, and content of any submitted logs.

ThreatSTOP is a pull, not a push, service. It pulls in lists of compromised IPs published by others and makes them available as DNS forward lookups using a private, secured DNS. User's devices query those lists to update their security.

To submit logs to ThreatSTOP, you either e-mail them to us, or upload them to a webform. Users initiate all communications to our servers, ThreatSTOP's servers never initiate communication to the user's servers. Because of this, the user retains full control over their network devices while benefiting from powerful, centralized, and easy-to-use security that improves the protection those devices can provide.

Return to TOC

 

What if a firewall or network device can't resolve the lists?

The two most common causes of this problem are TCP name resolution not being allowed, or that the device has been configured with the wrong IP address.

Because the lists are long, ThreatSTOP uses TCP to propagate them. Users need to allow port 53 TCP queries from their nameservers, firewall, or network device. There is no need to allow INBOUND, only outbound queries TO our servers.

Our system uses a private, secure, DNS. If the source IP of a query is not in our ACL, the user will be denied. Make sure that the devices configured in our UI match the IP addresses the queries come from.

Return to TOC