Bypassing ASN Firewalls: A Practical Guide

TL;DR

ASN (Autonomous System Number) firewalls block traffic based on the network origin. While effective, they aren’t foolproof. Techniques like using VPNs, proxies, CDNs, and misconfigured ASNs can bypass these blocks. This guide explains how attackers do it and what you can do to improve your security.

Understanding ASN Firewalls

ASN firewalls work by checking the origin of network traffic against a list of ASNs. If the source ASN is on a blocked list, the connection is dropped. They’re often used to block entire countries or networks known for malicious activity.

How Attackers Bypass ASN Firewalls

1. Using VPNs (Virtual Private Networks):
• VPNs mask the attacker’s real IP address and route traffic through a different ASN. This makes it appear as if the connection originates from the VPN server’s ASN, potentially bypassing the block.
• Example: Connecting to a VPN server in a country not blocked by the firewall.
2. Employing Proxies:
• Similar to VPNs, proxies act as intermediaries, hiding the attacker’s IP address and ASN.
• Example: Using a residential proxy network to appear as legitimate users from different ASNs.
3. Content Delivery Networks (CDNs):
• CDNs distribute content across multiple servers in various locations, each with its own ASN. Attackers can leverage this by sending traffic through a CDN server with an allowed ASN.
• Example: An attacker hosts malicious content on a CDN and directs traffic to a server within a permitted ASN.
4. Misconfigured ASNs:
• Incorrectly configured routing policies can lead to traffic from blocked networks being routed through allowed ASNs. This is often due to errors in BGP (Border Gateway Protocol) configurations.
• Example: A network administrator accidentally allows traffic from a known malicious ASN to transit their network.
5. ASN Hijacking/Spoofing (Advanced):
• This is a more sophisticated attack where an attacker attempts to announce false routing information, making it appear as if traffic originates from a different ASN. This requires significant technical expertise and access to network infrastructure.
• Note: ASN hijacking is illegal in most jurisdictions.
6. Tunneling Protocols:
• Using protocols like SSH tunneling or Obfsproxy can disguise the origin of traffic, making it harder to identify and block based on ASN alone.
• Example: Establishing an SSH tunnel through a server with a trusted ASN.

  ssh -D 8080 user@trusted_server

  (This creates a SOCKS proxy on port 8080)

Protecting Against ASN Firewall Bypasses

1. Combine ASN Blocking with Other Security Measures:
• Don’t rely solely on ASN firewalls. Implement additional layers of security, such as IP address blocking, reputation-based filtering, and behavioral analysis.
2. Regularly Update Blocklists:
• Keep your ASN blocklists current with the latest threat intelligence data.
3. Monitor BGP Routing Information:
• Actively monitor BGP routing tables for anomalies and misconfigurations that could allow traffic from blocked networks to bypass the firewall. Tools like RIPEstat can help.
4. Implement GeoIP Filtering:
• Combine ASN blocking with GeoIP filtering to block traffic from entire countries or regions known for malicious activity.
5. Use Rate Limiting and Traffic Shaping:
• Limit the amount of traffic allowed from specific ASNs or IP addresses to mitigate the impact of attacks.
6. Invest in cyber security intelligence feeds:
• These provide up-to-date information on malicious ASNs and IPs, helping you proactively block threats.