The Spamhaus Project
BETA

blog

The return of the ASN-DROP

Further to requests from the community we've reinvigorated the ASN-DROP. With a new algorithm, ASN-DROP is now available in JSON format, listing Autonomous System Numbers (ASNs) associated with the worst of the worst behavior. These are ASNs that our researchers wouldn’t recommend engaging with and are highly likely to announce...

by The Spamhaus TeamSeptember 13, 20234 minutes reading time
DNSBL
Hijacking
Network Security

Jump to

Introduction

Further to requests from the community we've reinvigorated the ASN-DROP. With a new algorithm, ASN-DROP is now available in JSON format, listing Autonomous System Numbers (ASNs) associated with the worst of the worst behavior. These are ASNs that our researchers wouldn’t recommend engaging with and are highly likely to announce or supply transit to IP ranges associated with malicious behavior. From networks hosting botnet command and control systems, to "bulletproof" networks selling connectivity/hosting to cybercriminals, to hardcore spammers, and more.

One of our researchers is an avid supporter of ASN-DROP - here’s Jonas Arnold’s experience of the dataset and why they love it.

Love is a DROP list

Let’s clear something up quickly - for those of you who are wondering what is "DROP" it’s an acronym for Do Not Route or Peer. Having started my IT security journey as a firewall administrator (something I am still close to now) I've grown to love the DROP list family. Not only do I cherish the DROP lists for being highly reliable in terms of false positive rates. They are compiled transparently and responsibly with the ability to look up every IP listing in the Spamhaus IP and Domain Reputation Checker. And for free - no strings attached. With Spamhaus, I know the DROP lists are rock solid and will be here for years to come.

Less worry, more time

As a human defender, you are limited by your time and resources. DROP lists allow me to mitigate (or even prevent) threats at every opportunity, reducing my worries considerably. This frees up resources I need for dealing with more sophisticated threats - of which some will inevitably slip through the net.

ASN-DROP and IP-based DROP lists are not a silver bullet solution. They serve as coarse filters, removing the worst of the worst ASNs and IPs. While they cannot guarantee 100% security, it doesn't matter. Why?

Because of the amount of stress and sleepless nights it takes off my shoulders, due to fewer incident response tasks. There is little to no ongoing maintenance effort required, except for keeping an eye out for hits caused by compromised internal devices.

Using the ASN-DROP list

After a rather emotional introduction to DROP lists (what can I say, I’m a fan!) here are four ways I have used these list across various IT security roles:

Blocking rogue ASNs at the perimeter infrastructure: No surprises there. This is what the list is intended for! However, some ASNs rotate very quickly through prefixes, only announcing them for a few hours. They send spam and remove the announcement almost immediately afterwards. The ASN-DROP is very helpful in preventing abuse in this scenario. With a list of ASNs, you can automatically "blackhole" them in the BGP router at the network edge, which makes all networks announced by them unreachable.

Hunting for DROP'ed ASNs: Before Resource Public Key Infrastructure (RPKI) made Border Gateway Protocol (BGP) hijacking more difficult, hunting for DROP'ed ASNs in the global routing table could be used to detect rogue announcements (attacker falsely announces ownership of groups of IP addresses). These were either hijacks - or in some cases, attempts to redirect internet traffic. Either way, we would not process the new routes, sticking to the old ones.

Noting changes in the rogue hosting landscape: DROP’ed ASNs that announce new prefixes or connect to other ASNs are probably rogue. We would reject traffic from these ASNs, even before our routing infrastructure could process a single packet to or from the internet infrastructure involved.

Incident checks at suppliers, partners, or branches: During a scheduled downtime, a supplier's perfectly clean IP network was temporarily rerouted in a targeted attack to bypass IP-based ACLs. However, the involved carriers' ASN was on the ASN-DROP, preventing the traffic from passing through. Result!

Thanks Jonas for sharing your experiences – we love your heartfelt account of using the Spamhaus DROP lists. We’d love to hear from the community on ways you use the ASN DROP list... get in touch with us and share.

Take a look at the Spamhaus DROP lists, including the revived ASN-DROP.