core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

Spamhaus ASN Drop list - json format

Open ronin3510 opened this issue 9 months ago • 5 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

Spamhaus DROP ASN announcement

Further to requests from the community we've reinvigorated the ASN-DROP. With a new >algorithm, ASN-DROP is now available in JSON format, listing ASNs associated with the worst of the worst behavior. These are ASNs that our researchers wouldn’t recommend engaging with and are >highly likely to announce or supply transit to IP ranges associated with malicious behavior. From networks hosting botnet command and >control systems, to "bulletproof" networks selling connectivity/hosting to cybercriminals, to hardcore spammers, and more.

Describe the solution you like

Adding support for this ASN list presents a double opportunity for OPNsense CE and BE.

In the first stage, the new functionality is announced - hopefully in a yy.m.x release - users can start using it.

In the second stage, new yy.m releases start presenting the users with a new screen in the initial setup wizard where the users are being prompted to enable this ASN list as a Floating rule on LAN - "Reject Source any Destination ASNdrop any". A floating rule can then be modified easily to add additional VLANs when they're deployed.

Implementing the second stage raises the bar of the default security posture and is a mitigating factor for the default Allow Any Outbound IPv4+IPv6 rules that may allow for unwanted data exfiltration when new deployments happen on compromised networks.

Describe alternatives you considered

There's always the manual option, which is error prone, untimely and time consuming: collecting the ~300 ASNs and adding it to a ASN alias.

Additional context

DROP ASN json

Thank you.

ronin3510 avatar Mar 03 '25 04:03 ronin3510

Tried opening this as a feature request...doesn't seem to have worked.

ronin3510 avatar Mar 03 '25 04:03 ronin3510

+1. I'm interested

l0rdg3x avatar Jun 01 '25 23:06 l0rdg3x

duplicate issue, https://github.com/opnsense/core/issues/8107 + https://github.com/opnsense/core/issues/8277 --> https://docs.opnsense.org/manual/how-tos/drop.html

AdSchellevis avatar Jun 02 '25 06:06 AdSchellevis

Hi Ad,

Unfortunately this is not a duplicate of anything. The only work that has been done in OPNsense concerns json formated IP lists.

There's no way of adding ASN numbers from the json provided by Spamhaus https://www.spamhaus.org/drop/asndrop.json

Image

Image

ronin3510 avatar Jun 05 '25 21:06 ronin3510

ok, I'll reopen, but I don't expect this to mature to be honest. The current matches we would make based on these ASN's are most likely the same as already offered in the other lists from their end.

AdSchellevis avatar Jun 06 '25 07:06 AdSchellevis

I am +1 on this as well.

Ad, we can discuss that their ASN drop list may provide the same dataset as their other lists, but the key here is "most likely" which doesn't mean its providing the same datasets. Personally I don't think they are providing the same datasets, otherwise there would be no reason for them to create a ASN based drop list.

ASNs are basically names of organizations in the Network world. Where IPs specify just a block/slice of it.

Further more, having json supported lists are not only related to Spamhouse itself, but this feature would allows admins to board in any list containing ASN json file.

SeimusS avatar Jul 05 '25 14:07 SeimusS

In this particular case I can't believe we can map ASN's to addresses better than they do, when you're at the edge of the network accepting routes from others, having an ASN absolutely makes sense, which is what I expect the use-case for the additional list (haven't checked, but in my mind it sounds logical).

I don't mind if someone wants to spend time on the feature, it's just not very high on our list, that's all. Personally I prefer vendors to offer lists of (ip) networks as it prevents mapping locally.

AdSchellevis avatar Jul 05 '25 14:07 AdSchellevis

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Aug 30 '25 03:08 OPNsense-bot