How to block a large list of ASN's

Hello,

I want to block all ASN’s in this list: https://github.com/brianhama/bad-asn-list/blob/master/bad-asn-list.csv

from accessing my site, but is my only option to insert each ASN into the Firewall rules page? There are 700+ ASN’s there and this would take a crazy amount of time. Is there any way I can input the whole list into the firewall rules?

Thank you.

The API

https://api.cloudflare.com/#firewall-access-rule-for-a-zone-create-access-rule

I’m not too experienced in coding/developing, would you happen to know an easy way for me to use the API to quickly block the ASN’s? Thank you for your time.

There is an example, just follow it and iterate through your list.

Alternatively you could also set up a firewall rule and add all ASNs, but be careful not to exceed four kilobyte

(ip.geoip.asnum in {1 2})
1 Like

fairly easy to do with some scripting/bash

wget https://raw.githubusercontent.com/brianhama/bad-asn-list/master/bad-asn-list.csv
asn=$(awk -F ',' 'NR>1 {print $1}' bad-asn-list.csv | sed -e 's|"||g' | sort -n | xargs)
echo "(ip.geoip.asnum in {$asn})"

end up with

(ip.geoip.asnum in {1442 3223 3561 3722 3842 4250 4323 4694 4851 5577 6188 6718 6724 6870 6939 7203 7349 7489 7506 7595 7598 7850 7979 8075 8100 8455 8477 8556 8560 8972 9009 9166 9290 9370 9412 9667 9823 9925 10200 10207 10297 10439 10532 10929 10929 11230 11235 11274 11588 11831 11878 12586 12586 12617 12876 12989 13209 13213 13647 13739 13909 13926 13926 13955 14061 14120 14127 14160 14244 14384 14415 14442 14567 14576 14618 14708 14986 14987 14992 15003 15083 15169 15189 15395 15497 15510 15626 15734 15919 16125 16262 16276 16284 16397 16509 16535 16628 16862 16973 17019 17216 17439 17669 17881 17918 17920 17971 18120 18450 18570 18779 18978 19084 19133 19234 19318 19437 19531 19624 19844 19871 19969 19969 20021 20068 20248 20264 20401 20448 20450 20454 20473 20598 20692 20738 20773 20773 20836 20860 21100 21159 21217 21321 21859 22152 22363 22552 22611 22720 22781 22903 23033 23052 23108 23273 23342 23352 23535 23881 24220 24381 24482 24549 24558 24611 24679 24725 24768 24875 24931 24940 24958 24961 24971 24997 25048 25128 25163 25260 25369 25379 25532 25642 25780 25820 25926 26277 26481 26484 26978 27175 27223 27229 27257 27357 27589 27597 27640 28099 28216 28333 28747 28753 28855 28997 29066 29067 29073 29097 29119 29140 29182 29302 29302 29311 29331 29354 29452 29465 29550 29691 29713 29748 29802 29838 29854 29869 29883 30083 30152 30176 30235 30475 30475 30633 30693 30849 30900 30998 31034 31103 31240 31472 31590 31659 31698 31981 32097 32181 32244 32275 32306 32338 32400 32475 32489 32613 32647 32740 32780 32911 33070 33070 33083 33182 33182 33251 33260 33302 33322 33330 33387 33438 33480 33552 33569 33724 33785 33891 34305 34432 34541 34649 34745 34971 34989 35017 35278 35295 35366 35415 35467 35470 35662 35908 35914 35916 35974 36024 36114 36236 36290 36351 36352 36408 36536 36666 36791 36873 36887 36920 36970 37018 37088 37153 37170 37209 37230 37248 37269 37280 37308 37347 37377 37472 37506 37521 37540 37643 37661 37692 37714 38001 38001 38107 38279 38894 39020 39326 39351 39392 39451 39458 39572 39704 39756 39839 40156 40244 40281 40374 40438 40539 40676 40715 40728 40819 40824 40861 41062 41079 41369 41427 41562 41653 41665 42120 42160 42210 42244 42311 42331 42331 42399 42400 42418 42442 42465 42473 42612 42622 42695 42695 42699 42705 42708 42730 42776 42831 43021 43146 43198 43289 43317 43350 43472 43541 43620 44050 44066 44398 44901 45102 45152 45179 45187 45187 45201 45470 45481 45486 45577 45671 45693 45815 45887 46177 46260 46261 46430 46433 46475 46562 46664 46805 46816 46844 46873 46945 47143 47161 47172 47205 47328 47385 47447 47549 47577 47583 47588 47625 48093 48446 48812 48825 48896 49313 49349 49367 49453 49485 49505 49505 49532 49544 49693 49815 49834 49949 49981 50297 50465 50608 50613 50655 50673 50872 50915 50926 50968 50986 51050 51109 51159 51167 51191 51241 51248 51290 51294 51395 51430 51698 51731 51765 51852 52048 52173 52219 52236 52270 52321 52335 52347 52465 52674 52925 53013 53055 53057 53101 53221 53225 53281 53332 53340 53342 53370 53559 53589 53597 53667 53755 53850 53889 53914 53918 54104 54203 54203 54290 54334 54455 54489 54500 54500 54527 54540 54555 54641 54817 54825 54839 55051 55225 55229 55286 55293 55536 55720 55761 55799 55933 55967 56106 56110 56322 56617 56630 56732 56784 56799 56934 57043 57169 57230 57286 57345 57363 57669 57682 57752 57773 57858 57879 58073 58113 58305 58667 58797 58922 58936 59135 59253 59349 59432 59504 59554 59615 59632 59677 59705 59729 59764 59791 59795 59816 59854 60011 60068 60117 60118 60404 60476 60485 60505 60558 60567 60739 60781 60800 61102 61102 61107 61147 61157 61280 61317 61412 61440 62026 62049 62071 62082 62088 62217 62240 62282 62310 62370 62471 62540 62563 62567 62605 62651 62756 62838 62899 63008 63018 63119 63128 63128 63129 63199 63213 63473 63916 63949 64245 64484 132070 132071 132225 132425 132509 132717 132779 132816 132869 133120 133143 133229 133296 133393 133480 133752 134451 135822 136258 196645 196678 196745 196827 197155 197328 197372 197395 197439 197648 197902 197914 198047 198153 198171 198310 198313 198347 198414 198432 198651 198968 199129 199213 199481 199653 199733 199847 199883 199990 199997 200000 200019 200019 200039 200147 200532 200904 201011 201200 201449 201525 201553 201597 201630 201634 201670 201702 201709 201862 201983 202023 202053 202118 202836 203523 203629 204196 206898 262170 262287 262603 262978 262990 263032 263093 263237 327705 327784 327813 327942 328035 393326 394256 394330 394380 395089 395111 395978})

but it’s over 4kb limit

echo "(ip.geoip.asnum in {$asn})" | wc -c
4522
1 Like

Just a side note, if your issue is bot traffic, this list will block out a large chunk of it but it won’t necessarily solve the underlying problem. The Bot Management solution will, without blocking real users.

From looking through that ASN list, we have seen the traffic be in excess of 98% bots/malicious traffic at times but it also does produce some good bots and legitimate users depending on your site. Think SEO bots, Amazon’s Alexa bot, etc.
If the traffic hits an API, you can’t challenge it like you can on your website so it’s all or nothing with blocks

Bot Management might be cost prohibitive but, if not, it solves the underlying issue without having to wholesale block ASN’s, IP’s, UA’s etc.

If you enter these into a FW rule, I’d def recommend separating them so it’s easier to search and find. Manually, using notepad and the syntax like @sandro mentioned works well. I’d just break into a few chunks, personally. Better visibility on the analytics side.

2 Likes

I second @dmcclure’s concern about over-blocking here.

The four kilobyte limit can be circumvented by having two rules. Of course an import to IP access rules would also work, however I still believe that would over-block and maintaining that list, respectively configuring exceptions, might be quite a hassle.

Overall I would not block 800 networks for no reason. Rely rather on Cloudflare’s own bot algorithms and block individual ASNs if they send too many requests.

CF Firewall rules can be configured to exclude known good bots from being banned though via cf.client.bot criteria https://developers.cloudflare.com/firewall/known-issues-and-faq#how-does-firewall-rules-handle-traffic-from-known-bots

Yup Bot Management on CF Enterprise https://blog.cloudflare.com/cloudflare-bot-management-machine-learning-and-more/ is wonderful and catches alot more without manual work.

The Bot Management score as a criteria in CF Firewall makes it easier to determine which requests are coming from bots (non-humans)

This CF Firewall is capturing when bot management score is less than 6 = non-human. As you can see alot of the ASNs are from cloud hosting providers as they rent out their servers to bad bot operators etc.

I usually separate out known cloud hosting provider ASNs in a group and only apply their challenge/blocks to sensitive areas like login/registrations/contact pages if CF Bot Management isn’t available i.e. non-Enterprise plans. Afterall, there is little or no risk in preventing legit crawler/search bots from not crawling login/rego/contact pages but they’re often targets for brute force login/credential stuffing attacks from bots operated on cloud providers too.

There is a big difference between traffic from malicious bots that aren’t a part of a specific attack and targeted attack traffic, for sure. Having dealt with brute force and cred stuffing, blocking ASN’s isn’t a tenable solution. It’s like playing the old whack-a-mole game.

And +1 on excluding cf.client.bot

To a certain extent it is. I do block, respectively challenge ASNs as well, however that should be selective lists of ASNs which already proved to be an issue for the site not a one-size-fits-all list compiled by a random third party.

To minimize the hassle @sandro mentioned in maintaining a list like this, I’ve come to prefer an approach where, instead of:

If bad actor > block

I now use a combination of:

If bad behavior > Block
If not good actor > Challenge

You then have a much smaller list to maintain, and very few, if any, surprises on your origin server access logs.

A Firewall Rule expression for the fist part would look like:

(not cf.client.bot and not ip.geoip.country in {"AA" "BB" "CC"} and not http.request.uri.path in {"/ads.txt" "/robots.txt"} and not ip.src in {1.2.3.4 1.2.3.5} and not ip.geoip.asnum in {123 124 125})

where you’d exclude from the Captcha the countries where your target audience is, some special URLs (/ads.txt, /robots.txt etc, but also, if applicable a rule for hostname such as api.example.com), and the IPs and ASNs of services you depend on.

Then couple this rule with one mostly URL-based for bad behavior, such as:

(http.request.uri.path contains "wp-config") or (http.request.uri.path contains ".php" and http.request.uri.path contains "/wp-content/") or (http.request.uri.path contains "phpmyadmin") or (http.request.uri.path in {"installer.php" "installer-backup.php" "/te3/signup.php" "/assets/images/new_license.php" "/connectors/system/phpthumb.php" "/home/favicon.ico" "/2/favicon.ico" "/3/favicon.ico" "/view/img/favicon.ico"})

Every now and then you’d need to bypass a IP for certain online services to work. If you use these services all the time, you may want to insert the exception to the FR, otherwise just create a temp whitelist IP Access rule for the duration of the service.

1 Like

Ya, depends on the use case. I’ve seen ASN’s get used that are very legitimate ASN’s; Charter, Comcast, various mobile carriers. It’s probably not an issue the OP needs to worry about. It’s something I’ve run into with targeted attacks and, while it might be fine for some websites to wholesale block, you can’t do it with a business. I had a customer whose call center would get overwhelmed if we blocked the wrong ASN, for example.

I mostly mentioned Bot Management because of the more granular approach, mostly for passers by. I think each use case can be a little unique but having the ability to exclude known bots and the ability to use Challenges to separate the traffic, is a great option to have.

1 Like

Most definitely. But I guess we went way too much into detail at this point. :smile:

@disruptive, yes, as mentioned you can either import the data via the API or create one (or two) firewall rule which contains all the values. Would I recommend to go that way? No :slight_smile:

1 Like

Yeah though better than nothing if your budget is outside CF Enterprise’s asking price :slight_smile: It’s also why I specifically group known cloud provider ASN’s

Indeed I do the same with common wordpress ones, though there’s some CF WAF rules that help

i.e. CF Firewall captured event entries for CF WAF rules

again look at the ASNs that triggered the CF WAF rules - notice how lots of them are from cloud providers again :slight_smile:

1 Like

Block them all :smile:

1 Like

I usually get thousands of hits to my site’s registration/login pages from cloud providers and definitely know my site isn’t that popular enough that cloud provider ASNs would hit my login page at 100+ requests/second :slight_smile:

:smile:

Though seriously, unless one is concerned about VPN users there really is no reason not to block them.

Can always just challenge them. Though to date, the solve rate for me is still 0% LOL

2 Likes

Or that :slight_smile: