BounceBack

BounceBack is a powerful, highly customizable and configurable reverse proxy with WAF functionality for hiding your C2/phishing/etc infrastructure from blue teams, sandboxes, scanners, etc. It uses real-time traffic analysis through various filters and their combinations to hide your tools from illegitimate visitors.

Features:
- Highly configurable and customizable filters pipeline with boolean-based concatenation of rules will be able to hide your infrastructure from the most keen blue eyes.
- Easily extendable project structure, everyone can add rules for their own C2.
- Integrated and curated massive blacklist of IPv4 pools and ranges known to be associated with IT Security vendors combined with IP filter to disallow them to use/attack your infrastructure.
- Malleable C2 Profile parser is able to validate inbound HTTP(s) traffic against the Malleable's config and reject invalidated packets.
- Out of the box domain fronting support allows you to hide your infrastructure a little bit more.
- Ability to check the IPv4 address of request against IP Geolocation/reverse lookup data and compare it to specified regular expressions to exclude out peers connecting outside allowed companies, nations, cities, domains, etc.
- All incoming requests may be allowed/disallowed for any time period, so you may configure work time filters.
- Support for multiple proxies with different filter pipelines at one BounceBack instance.
- Verbose logging mechanism allows you to keep track of all incoming requests and events for analyzing blue team behaviour and debug issues.

BounceBack currently supports the following filters:
- Boolean-based (and, or, not) rules combinations
- IP and subnet analysis
- IP geolocation fields inspection
- Reverse lookup domain probe
- Raw packet regexp matching
- Malleable C2 profiles traffic validation
- Work (or not) hours rule

Proxies:
- HTTP(s) for your web infrastructure
- DNS for your DNS tunnels
- Raw TCP (with or without tls) and UDP for custom protocols