BounceBack: Shield protects C2/Phishing infrastructure from attacks

Protecting infrastructure from cyber attacks is becoming increasingly important. Especially for C2/Phishing systems, anonymity and security are key factors to maintain operations. BounceBack – a powerful and flexible reverse proxy – is designed to meet this need. With high customization, smart filtering system and WAF integration, BounceBack is the optimal solution to protect your infrastructure from surveillance and attacks.

Introducing BounceBack

BounceBack is a powerful reverse proxy, highly customizable and flexible in configuration, integrating WAF (Web Application Firewall) function to help hide your C2/phishing infrastructure from the security team's eyes (blue). team), sandbox, scanning tools, etc. It uses real-time traffic analysis through many filters to prevent illegal access.

The tool is delivered with a list of blocked words, blocked IP addresses, and preconfigured permissions. For more information on how to use the tool, you can visit the project's wiki below:

Github link

See more: De digger: Tool to find other people's files on Google Drive

Outstanding features of BounceBack

BounceBack possesses many superior features to help protect your infrastructure effectively:

• Highly customizable and flexible filtering system: With the ability to combine boolean-based rules (and, or, not), BounceBack can hide your infrastructure from even the most critical eyes of your security team. .
• Easily extensible project structure: Everyone can add their own C2 rules, increasing flexibility and customization.
• Massive IP blacklist integration: This list includes IP ranges and IPv4 pools known to be relevant to IT security vendors, combined with IP filtering to prevent them from using/downgrading attacks. your floor.
• Malleable C2 Configuration Analyzer: BounceBack can validate incoming HTTP(s) traffic against Malleable configuration and reject invalid packets.
• Domain Fronting support: This feature helps you hide your infrastructure more effectively.
• Check IP geolocation: BounceBack can check the request's IPv4 address against IP geo/reverse lookup data and compare it with specified regular expressions to rule out connections from Outside companies, countries, cities, domains, etc. are allowed.
• Uptime Filter: All incoming requests can be allowed/disallowed for any time period, so you can configure uptime filters.
• Multiple proxy support: BounceBack supports multiple proxies with different filtering pipelines on the same instance.
• Detailed logging mechanism: Allows you to track all incoming requests and events to analyze security team behavior and debug incidents.

Mechanism of action of the rule

The main idea of ​​the rules is how BounceBack matches traffic. The tool currently supports the following rule types:

• Boolean-based rule combination (and, or, not)
• Analyze IP and subnet
• Check the IP geolocation fields
• Reverse domain lookup
• Raw package regular expression matching
• Malleable C2 configuration traffic authentication
• Working (or non-working) hour rules
• Custom Rules: Custom rules can be easily added by registering RuleBaseCreator or RuleWrapperCreator your. See the RuleBaseCreator and RuleWrapperCreator already created in the project.

You can find the rules configuration page HERE

Proxy configuration and supported protocols

The proxy section is used to configure where to listen and proxy traffic, what protocols to use, and how to bind rules together to filter traffic. Currently, BounceBack supports the following protocols:

• HTTP(s): For your web infrastructure.
• DNS: For your DNS tunnels.
• Raw TCP (with or without tls) and UDP: For custom protocols.
• Custom Protocols: Custom protocols can be easily added by registering your new type in management program. You can find examples of proxies here.

You can find the proxy configuration page at this page.

Instructions for installing BounceBack

Method 1: Install from release

Download the latest release from this page > Extract folder > Edit configuration file > Launch BounceBack.

Method 2: Install from source code

Clone the project (don't forget GitLFS) > Settings goreleaser > Run command:

goreleaser release --clean --snapshot

How to use BounceBack

Step 1 (optional): Update banned_ips.txt list:

list:bash scripts/collect_banned_ips.sh > data/banned_ips.txt

Step 2: Edit config.yml for your needs: Configure rules to match traffic, proxies to analyze traffic using rules, and global variables for in-depth rule configuration.

Step 3: Run BounceBack: ./bounceback

Command line options:

• -c, –config string: Path to the configuration file in YAML format (default is “config.yml”).
• -l, –log string: Path to the log file (default is “bounceback.log”).
• -v, –verbose count: Log details (0 = info, 1 = debug, 2+ = trace).

See more: DNS Spy: Tool to analyze DNS of any Domain

Conclusion

BounceBack is a flexible tool that helps protect C2/phishing infrastructure. With its highly customizable, flexible filtering system and support for a wide range of protocols, BounceBack is an ideal choice to enhance the security of your system.