Fork me on GitHub

Blockade

Blockade brings antivirus-like capabilities to users who run Chrome and Firefox browsers. Built as an extension, Blockade blocks malicious resources from being viewed or loaded inside of the browser.

Download Star Fork

Blockade Suite

The Blockade Cloud Node lets you or anyone else host their own indicator source.

The Blockade Analyst Toolbench is a simple command line tool to speed up indicator submissions Blockade cloud nodes.

Support

For bugs and other problems, please file a message in the repositories issues area. For private questions or comments, contact Brandon at info@blockade.io or find us on social media.

           

Overview

Blockade is split into two pieces, cloud infrastructure and the local Extension. Intelligence is passed from the cloud infrastructure directly into the browser’s local storage. Using special APIs available to extensions, Blockade will look for any web request matching a known indicator and block it from being loaded. Malicious events from Blockade are passed to the cloud infrastructure where analysts can review the findings and surface more attacks.

Cloud Node

Blockade makes use of a “severless architecture” provided by Amazone Web Services. In order to power the Extension, the cloud node exposes two endpoints, one for getting intelligence and the other for processing events generated from malicious content. Each of these APIs map to a stateless function that either reads or writes to a NoSQL database. For events in particular, a copy of the content is also sent to S3 for long-term storage.

Indicator Format

Data sent to each end-user browser is in a simple array format of hashed details and uses the following structure.

Event Format

For analysts, it’s important to understand as much as possible about a given attack. Blockade events retain the web request context generated by the browser and include some additional properties about the environment. This data allows analysts to potentially surface more intelligence that can then be sent back to Blockade.

{
    "analysisTime": "2016-12-29T19:24:30.414Z",
    "event": "e37d427c5b29b9af9dd3d762f4342307da61837fe9f946e20219c2a2af7c1196",
    "indicatorMatch": "evil.com",
    "metadata": {
        "frameId": 0,
        "method": "GET",
        "parentFrameId": -1,
        "requestId": "238024",
        "tabId": 3613,
        "timeStamp": "1.48303947041e+12",
        "type": "main_frame",
        "url": "https://www.evil.com/install.html"
    },
    "sourceIp": "108.56.78.203",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
}

Browser Extension

Blockade uses a browser Extension in order to perform blocking inside of the browser. Hashed intelligence* from the cloud node is sent down to the browser and stored inside of local storage. In order to inspect web traffic, Blockade uses the browser.webRequest APIs and places a hook on onBeforeRequest, so that all web requests are analyzed prior to leaving the browser.

If Blockade identifies a malicious web request, an event will be generated and stored inside of a events section within local storage. Events contain all the details of the request with some additional properties about the browser itself. On a regular schedule, events will get synced to the cloud node in order for analysts to process the events.

* Indicators are hashed using MD5. While not secure, this algorithm greatly reduces the key size and allows us to store well over a million indicators inside of local storage.