Squid helper for enumerating ASNs of given destinations, querying them against ASNBLs and proactive detection of fast-flux setups
This repository contains a Squid helper script for enumerating the Autonomous System Number(s) of a given destination and querying them against DNS- or file-based ASN blacklists.
Looking at ASN reputations becomes handy since some blacklists do list these, but not all of the prefixes announced by them (most software, in fact, is not capable of ASN-based filtering).
Further, fast-flux C&C domains (among other malicious scenarios for fast-flux hosting) tend to be spread across multiple ASNs, while legitimate sites usually only scatter over one to four ASNs. Even further, miscreans might announce their IP ranges only against their targets, operating C&C servers or sending spam without being visible to the rest of the internet and exposed to security researchers and blacklist operators.
Spamhaus ASN-DROP was the only ASN-based blacklist publically available. However, it has been "suspended due to operational constraints" since October 2021.
This script takes a destination IP address or domain (which will be resolved into its IPs) and enumerates all ASNs for it. If configured, access is proactively blocked if the ASN diversity exceeds a given threshold (5 might be a reasonable value), thus introducing a primitive fast-flux (C&C) mitigation.
Additionally, this script performs queries against given ASN blacklist (DNS- and/or file-based),
returns OK if any enumerated ASN is listed, and ERR if none is. Blacklists and their
types are examined from a configuration file, which has to be the first and sole command
line argument for asnbl-helper.py.
For enumerating the Autonomous System of IP addresses, this script currently supoorts the
Sanity checks are executed against given ASN database in order to make sure it is operational.
For enumerating the Autonomous System of an IP address, this script currently supports the
IPFire Location database only. (DNS-based ASN lookup services
and the pyasn database file were found to cause more trouble than they solve in productive
environments, massively increasing the complexity of this repositories' contents, hence
increasing attack vectors.)
Obtaining and updating the ASN database goes beyond the scope of this repository.
Please refer to example-configurations/asnbl-helper.conf for a configuration file sample.
In order to work under chrooted Squid instances on BSD, /usr/bin/env -S python3 -u needs
to be changed to /usr/local/bin/python3 -u.
Define asnbl-helper.py as an external Squid helper:
external_acl_type asnblhelper children-max=10 children-startup=2 %DST /usr/local/bin/asnbl-helper.py /path/to/asnbl-helper.conf
acl asnbl external asnblhelper
The scripts can be used for both blacklisting and whitelisting. In case of blacklisting, just deny acces to the defined ACL:
http_access deny asnbl
For usage as a whitelist, choose allow instead of deny here. (You might want to rename
the ACL into asnwl or similar then, as the given example would be misleading.)