Blocking Malicious Domains

TL;DR

This guide shows you how to identify and block domains that look harmless but are used for bad purposes (malicious activity). We’ll cover checking domain reputations, using threat intelligence feeds, and configuring your systems to prevent connections.

1. Understanding the Problem

Domains can be registered with innocent-sounding names but then used for phishing, spreading malware, or other cyber security threats. These are often called ‘benign malicious domains’ because they don’t *look* dangerous at first glance.

2. Checking Domain Reputation

1. Use Online Tools: Several websites check domain reputations for you. Some popular options include:
   • VirusTotal (https://www.virustotal.com)
   • URLVoid (https://urlvoid.com)
   • Talos Intelligence (https://talosintelligence.com)

   Enter the domain name and see if it’s been flagged as malicious by any security vendors.

2. WHOIS Lookup: Check who registered the domain. Suspicious registration details (e.g., privacy protection, recently created domains, unusual contact information) can be a red flag.

   whois example.com

3. Threat Intelligence Feeds

Threat intelligence feeds provide lists of known malicious domains. You can use these to automatically block access.

1. Free Feeds: Some free feeds are available, but their accuracy and update frequency may vary.
   • AlienVault OTX (https://otx.alienvault.com)
   • Emerging Threats Open Rules (https://rules.emergingthreats.net – often includes domain lists)
2. Commercial Feeds: Paid feeds generally offer more comprehensive and up-to-date information.
   • Recorded Future
   • Proofpoint ET Intelligence

4. Blocking Domains

How you block domains depends on your systems.

1. Firewall: Add the malicious domain to your firewall’s block list.

   # Example using iptables (Linux)

   iptables -A INPUT -d example.com -j DROP

2. DNS Server: Configure your DNS server to resolve the domain to a non-routable IP address (e.g., 127.0.0.1).

   This prevents applications from connecting to the malicious domain.

3. Web Proxy/Content Filter: Most web proxies and content filters allow you to block domains.
4. Host File (for testing): You can manually add entries to your host file, but this is only suitable for small-scale testing. Edit the hosts file on your system (requires administrator privileges).

   # Example hosts file entry (Linux/macOS)

   127.0.0.1 example.com

5. Browser Extensions: Some browser extensions can block known malicious domains.

5. Automating the Process

Manually updating block lists is time-consuming. Consider automation.

1. Scripting: Write a script to download threat intelligence feeds and automatically update your firewall or DNS server.
2. Security Information and Event Management (SIEM) Systems: SIEM systems can integrate with threat intelligence feeds and automate blocking based on detected malicious activity.

6. Regular Review

Threats change constantly. Regularly review your block lists and update them as needed.