Trace and block suspicious IPs
Big picture
Add threat intelligence feeds to Calico Enterprise to trace network flows of suspicious IP addresses, and optionally block traffic to suspicious IPs.
Value
Calico Enterprise integrates with threat intelligence feeds so you can detect when your Kubernetes clusters communicate with suspicious IPs. When communications are detected, an anomaly detection dashboard in the UI shows the full context, including which pod(s) were involved so you can analyze and remediate. You can also use a threat intelligence feed to power a dynamic deny-list, either to or from a specific group of sensitive pods, or your entire cluster.
Concepts
Pull or push threat feeds?
Calico Enterprise supports both push and pull methods for updating threat feeds. Use the pull method for fully automated threat feed updates without user intervention. Use the push method to schedule your own updates or if your threat feed is not available over HTTP(S).
Suspicious IPs: test before you block
There are many different types of threat intelligence feeds (community-curated, company-paid, and internally-developed) that you can choose to monitor in Calico Enterprise. We recommend that you assess the threat feed contents for false positives before blocking based on the feed. If you decide to block, test a subset of your workloads before rolling to production to ensure legitimate application traffic is not blocked.
Before you begin...
Required
Privileges to manage GlobalThreatFeed and GlobalNetworkPolicy.
Recommended
We recommend that you turn down the aggregation of flow logs sent to Elasticsearch for configuring threat feeds. If you do not adjust flow logs, Calico Enterprise aggregates over the external IPs for allowed traffic, and threat feed searches will not provide useful results (unless the traffic is denied by policy). Go to: FelixConfiguration and set the field, flowLogsFileAggregationKindForAllowed to 1.
You can adjust the flow logs by running the following command:
kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"flowLogsFileAggregationKindForAllowed":1}}'
How to
This section describes how to pull or push threat feeds to Calico Enterprise, and block traffic to a cluster for a suspicious IP.
Pull threat feed updates
To add threat feeds to Calico Enterprise for automatic updates (default is once a day), the threat feed(s) must be available using HTTP(S), and return a newline-separated list of IP addresses or prefixes in CIDR notation.
Using Manager UI
- From the Manager UI, select Threat Feeds --> Add Feed.
- Add your threat feed on the Add a New Threat Feed window. For example:
- Feed Name: feodo-tracker
- Description: This is the feodo-tracker threat feed.
- URL: https://feodotracker.abuse.ch/downloads/ipblocklist.txt
- Content type: IPSet
- Labels: Choose a label from the list.
- Click Save Changes.
From the Action menu, you can view or edit the details that you entered and can download the manifest file.
Go to the Security Events page to view events that are generated when an IP is displayed on the threat feed list. For more information, see Manage alerts. When you create a global threat feed in Manager UI, network traffic is not automatically blocked. If you find suspicious IPs on the Security Events page, you need to create a network policy to block the traffic. For help with policy, see Block traffic to a cluster.
Using CLIs
-
Create the GlobalThreatFeed YAML and save it to file. The simplest example of this looks like the following. Replace the name and the URL with your feed.
apiVersion: projectcalico.org/v3
kind: GlobalThreatFeed
metadata:
name: my-threat-feed
spec:
content: IPSet
mode: Enabled
description: 'This is my threat feed'
feedType: Custom
pull:
http:
url: https://my.threatfeed.com/deny-list -
Add the global threat feed to the cluster.
kubectl apply -f <your_threatfeed_filename>
Go to the Security Events page to view events that are generated when an IP is displayed on the threat feed list. For more information, see Manage alerts.
Push threat feed updates
Use the push method if your threat feeds that are not in newline-delimited format, not available over HTTP, or if you prefer to push updates as they become available.
-
Create the GlobalThreatFeed YAML and save it to file. Replace the name field with your own name. The name is important in the later steps so make note of it.
apiVersion: projectcalico.org/v3
kind: GlobalThreatFeed
metadata:
name: my-threat-feed
spec:
content: IPSet
mode: Enabled
description: 'This is my threat feed'
feedType: Custom -
Add the global threat feed to the cluster.
kubectl apply -f <your_threatfeed_filename>
-
Configure or program your threat feed to write updates to Elasticsearch. This Elasticsearch document is written using the tigera_secure_ee_threatfeeds_domainnameset.<cluster_name>. alias and must have the ID set to the name of the global threat feed object. The doc should have a single field called ips, containing a list of IP prefixes. For example:
PUT tigera_secure_ee_threatfeeds_domainnameset.cluster./_doc/my-threat-feed/_doc/my-threat-feed
{
"ips" : ["99.99.99.99/32", "100.100.100.0/24"]
}See the Elasticsearch document APIs for how to create and update documents in Elasticsearch.
If no alias exists in your Elasticsearch cluster, configure to write the Elastic document by specifying an index. Since the index name
<tigera_secure_ee_threatfeeds_ipset.cluster.linseed-{now/s{yyyyMMdd}}-000001>
contains a date pattern, make sure to send the request using the index name URL encoded.PUT /%3Ctigera_secure_ee_threatfeeds_ipset.cluster.linseed-%7Bnow%2Fs%7ByyyyMMdd%7D%7D-000001%3E/_doc/my-threat-feed
{
"domains" : ["malicious.badstuff", "hacks.r.us"]
} -
In Calico Enterprise Manager, go the “Security Events" page to view events that are generated when an IP is displayed on the threat feed list.
Block traffic to a cluster
Create a new/edit existing threat feed to include the globalNetworkSet stanza, setting the labels you want to use to represent the deny-listed IPs. This stanza instructs Calico Enterprise to search for flows to and from the listed IP addresses, and maintain a GlobalNetworkSet containing the IP addresses.
apiVersion: projectcalico.org/v3
kind: GlobalThreatFeed
metadata:
name: sample-global-threat-feed
spec:
content: IPSet
mode: Enabled
description: 'This is the sample global threat feed'
feedType: Custom
pull:
http:
url: https://an.example.threat.feed/deny-list
globalNetworkSet:
labels:
security-action: block
-
Add the global threat feed to the cluster.
kubectl apply -f <your_threatfeed_filename>
-
Create a GlobalNetworkPolicy that blocks traffic based on the threat feed, by selecting sources or destinations using the labels you assigned in step 1. For example, the following GlobalNetworkPolicy blocks all traffic coming into the cluster if it came from any of the suspicious IPs.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default.blockthreats
spec:
tier: default
selector: all()
types:
- Ingress
ingress:
- action: Deny
source:
selector: security-action == 'block' -
Add the global network policy to the cluster.
kubectl apply -f <your_policy_filename>
Tutorial
In this tutorial, we’ll walk through setting up a threat feed to search for connections to suspicious IPs. Then, we’ll use the same threat feed to block traffic to those IPs.
We will use the free FEODO botnet tracker from abuse.ch that lists IP addresses associated with command and control servers. But the steps are the same for your commercial or internal threat feeds.
If you haven’t already adjusted your aggregation flows, we recommend it before you start.
Configure the threat feed
-
Create a file called feodo-tracker.yaml with the following contents:
apiVersion: projectcalico.org/v3
kind: GlobalThreatFeed
metadata:
name: feodo-tracker
spec:
content: IPSet
mode: Enabled
description: 'This is the feodo-tracker threat feed'
feedType: Custom
pull:
http:
url: https://feodotracker.abuse.ch/downloads/ipblocklist.txtThis pulls updates using the default period of once per day. See the Global Resource Threat Feed API for all configuration options.
-
Add the feed to your cluster.
kubectl apply -f feodo-tracker.yaml
Check search results
Open Calico Enterprise Manager, and navigate to the “Security Events” page. If any of your pods have been communicating with the IP addresses in the FEODO tracker feed, you will see the results listed on this page. It is normal to not see any events listed on this page.
Block pods from contacting IPs
If you have high confidence in the IP addresses listed as malicious in a threat feed, you can take stronger action than just searching for connections after the fact. For example, the FEODO tracker lists IP addresses used by command and control servers for botnets. We can configure Calico Enterprise to block all egress traffic to addresses on this list.
It is strongly recommended that you assess the contents of a threat feed for false positives before using it as a deny-list, and that you apply it to a test subset of your workloads before rolling out application or cluster-wide. Failure to do so could cause legitimate application traffic to be blocked and could lead to an outage in your application.
In this demo, we will apply the policy only to a test workload (so we do not impact other traffic).
-
Create a file called tf-ubuntu.yaml with the following contents:
apiVersion: v1
kind: Pod
metadata:
labels:
docs.tigera.io-tutorial: threat-feed
name: tf-ubuntu
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- command:
- sleep
- '3600'
image: ubuntu
name: test -
Apply the pod configuration.
kubectl apply -f tf-ubuntu.yaml
-
Edit the feodo-tracker.yaml to include a globalNetworkSet stanza:
apiVersion: projectcalico.org/v3
kind: GlobalThreatFeed
metadata:
name: feodo-tracker
spec:
content: IPSet
mode: Enabled
description: 'This is the feodo-tracker threat feed'
feedType: Custom
pull:
http:
url: https://feodotracker.abuse.ch/downloads/ipblocklist.txt
globalNetworkSet:
labels:
docs.tigera.io-threat-feed: feodo -
Reapply the new YAML.
kubectl apply -f feodo-tracker.yaml
-
Verify that the GlobalNetworkSet is created.
kubectl get globalnetworksets threatfeed.feodo-tracker -o yaml
Apply global network policy
We will now apply a GlobalNetworkPolicy that blocks the test workload from connecting to any IPs in the threat feed.
-
Create a file called block-feodo.yaml with the following contents:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default.block-feodo
spec:
tier: default
selector: docs.tigera.io-tutorial == 'threat-feed'
types:
- Egress
egress:
- action: Deny
destination:
selector: docs.tigera.io-threat-feed == 'feodo'
- action: Allow -
Apply this policy to the cluster
kubectl apply -f block-feodo.yaml
Verify policy on test workload
We will verify the policy from the test workload that we created earlier.
-
Get a shell in the pod by running the following command:
kubectl exec -it tf-ubuntu -- bash
You should get a prompt inside the pod.
-
Install the ping command.
apt update && apt install iputils-ping
-
Ping a known safe IP (like 8.8.8.8, Google’s public DNS server).
ping 8.8.8.8
-
Open the FEODO tracker list and choose an IP on the list to ping. You should not get connectivity, and the pings will show up as denied traffic in the flow logs.
Additional resources
See GlobalThreatFeed resource definition for all configuration options.