Bug 12782 - Ipfire connections.cgi is impacted by FastFlux - http://isc.sans.org
Summary: Ipfire connections.cgi is impacted by FastFlux - http://isc.sans.org
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - - Unknown -
Assignee: Peter Müller
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-27 09:28 UTC by Horace Michael (aka H&M)
Modified: 2022-07-10 15:35 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Horace Michael (aka H&M) 2022-02-27 09:28:54 UTC 
Hello,
Ipfire connections.cgi is impacted by FastFlux detection: accessing PORT information from connections.cgi page gives me this message:

The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://isc.sans.org/port_details.php?port=443

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster

Logs (cause) show that isc.sans.org is blocked by FastFlux detection


/var/log/squid/cache.log:Feb 27 10:44:47 squid-asnbl-helper[9343] WARN: Destination ‘isc.sans.org’ resolves to IP addresses ‘108.138.17.118’ without corresponding ASN, probably selectively announced
Comment 1 Peter Müller 2022-03-02 20:32:07 UTC 
While I understood the underlying issue here, I cannot currently reproduce it with 108.138.17.118 (which isc.sans.org resolves to):

[root@maverick ~]# location version
Wed, 02 Mar 2022 05:46:50 GMT
[root@maverick ~]# location lookup 108.138.17.118
108.138.17.118:
  Network                 : 108.138.16.0/21
  Country                 : United States of America
  Autonomous System       : AS16509 - AMAZON-02
  Anycast                 : yes

Is the faulty behaviour still observable in your system?
Comment 2 Horace Michael (aka H&M) 2022-03-04 05:42:01 UTC 
Good morning Peter,
I believe this is a side effect of the bug #12783 (https://bugzilla.ipfire.org/show_bug.cgi?id=12783)


After solving bug #12783 the problem (fast flux detection) disappeared - currently my boxes run the patched version of connections.cgi.

May I suggest to link this bug with  #12783 and also check the patch from  #12783?

Hope it helps!
Comment 3 Horace Michael (aka H&M) 2022-03-04 05:50:06 UTC 
Late info: since I am in another part of the world, I get different IPs for isc.sans.org:

Non-authoritative answer:
Name:   isc.sans.org
Address: 13.225.80.99
Name:   isc.sans.org
Address: 13.225.80.19
Name:   isc.sans.org
Address: 13.225.80.77
Name:   isc.sans.org
Address: 13.225.80.98

Above belong to same AS16509 as you Ip belongs.

location lookup 13.225.80.99
13.225.80.99:
  Network                 : 13.225.80.0/21
  Country                 : United States of America
  Autonomous System       : AS16509 - AMAZON-02
  Anycast                 : yes
[root@ipfire-x86-64 ~]# location version
Tue, 01 Mar 2022 05:32:08 GMT




But isc.sans.edu is resolved with different IP addresses
Non-authoritative answer:
Name:   isc.sans.edu
Address: 45.60.31.34
Name:   isc.sans.edu
Address: 45.60.103.34

And this belongs to different AS:

location lookup 45.60.103.34
45.60.103.34:
  Network                 : 45.60.103.0/24
  Country                 : United States of America
  Autonomous System       : AS19551 - INCAPSULA


So, I believe that solution from bug #12783 also solved this one...
Comment 4 Horace Michael (aka H&M) 2022-07-10 15:35:24 UTC 
Solved by solution for bug #12783