Blockade allows companies––large and small––to protect individuals from malicious websites while keeping sensitive data private. With Blockade, you have complete control over threats blocked in the browser.
Download Star ForkThe Blockade Cloud Node lets you or anyone else host their own indicator source.
The Blockade Analyst Toolbench is a simple command line tool to speed up indicator submissions Blockade cloud nodes.
For bugs and other problems, please file a message in the repositories issues area. For private questions or comments, contact Brandon at info@blockade.io or find us on social media.
Blockade is split into two pieces, cloud infrastructure and the local Extension. Intelligence is passed from the cloud infrastructure directly into the browser’s local storage. Using special APIs available to extensions, Blockade will look for any web request matching a known indicator and block it from being loaded. Malicious events from Blockade are passed to the cloud infrastructure where analysts can review the findings and surface more attacks.
Blockade provides flexibility in managing indicators passed to the end-users. Administrators can run a cloud node on their own infrastructure, or deploy a serverless version with Amazon Web Services.
Traditional cloud node deployments make use of a Python Flask application with a MongoDB back-end. Users, indicators and events are managed by administrators. Two public APIs are exposed to the public, getting indicators and sending event data. Blockade was designed to run on commodity hardware and does not require significant resources.
Serverless deployments are done within Amazon Web Services (AWS) and run on the free tier of service. Users, indicators and events are managed by administrators. Two public APIs are exposed to the public, getting indicators and sending event data.
Using the analyst toolbench, users can automatically deploy a serverless cloud node using existing scripts. For full details, see the following post.
Blockade has two primary data formats, indicators and events.
Data sent to each end-user browser is in a simple array format of hashed details and uses the following structure.
For analysts, it’s important to understand as much as possible about a given attack. Blockade events retain the web request context generated by the browser and include some additional properties about the environment. This data allows analysts to potentially surface more intelligence that can then be sent back to Blockade.
{
"analysisTime": "2016-12-29T19:24:30.414Z",
"event": "e37d427c5b29b9af9dd3d762f4342307da61837fe9f946e20219c2a2af7c1196",
"indicatorMatch": "evil.com",
"metadata": {
"frameId": 0,
"method": "GET",
"parentFrameId": -1,
"requestId": "238024",
"tabId": 3613,
"timeStamp": "1.48303947041e+12",
"type": "main_frame",
"url": "https://www.evil.com/install.html"
},
"sourceIp": "108.56.78.203",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
}
Blockade uses a browser Extension in order to perform blocking inside of the browser. Hashed intelligence* from the cloud node is sent down to the browser and stored inside of local storage. In order to inspect web traffic, Blockade uses the browser.webRequest APIs and places a hook on onBeforeRequest, so that all web requests are analyzed prior to leaving the browser.
If Blockade identifies a malicious web request, an event will be generated and stored inside of a events section within local storage. Events contain all the details of the request with some additional properties about the browser itself. On a regular schedule, events will get synced to the cloud node in order for analysts to process the events.
* Indicators are hashed using MD5. While not secure, this algorithm greatly reduces the key size and allows us to store well over a million indicators inside of local storage.