CU 163: Proxy + FastFlux

IPFire 2.27 (x86_64) - Core Update 163 :

Having enabled both,

  • Advanced Web Proxy
    • without Cache management
      as well as
  • Anomaly detections based on Autonomous Systems information
    • Deny access to destinations hosted on fast flux setups
    • Deny access to destinations hosted on selectively announced networks

since multiple CU versions, running stable,
now resulted in multiple instabilties,
including inaccessibility of e.g.

Disabling one or another, re-loading, re-booting, deleting cache, etc. pp.
sometimes helped temporarily.

Anybody else with similar problems?
Thanks!

Hi,

the getfedora.org issue is related to the fast-flux anomaly detection indeed.

Searching your logs, you will probably find entries like these:

Feb 18 11:11:53 squid-asnbl-helper[3133] WARN: Destination 'getfedora.org' exceeds ASN diversity threshold (9 > 5), possibly Fast Flux: [81, 3701, 15456, 16509, 21785, 22753, 36850, 54455, 61317]
Feb 18 11:11:53 squid-asnbl-helper[3133] INFO: Denying access to possible Fast Flux destination 'getfedora.org'

Please refer to this post for information on how to get around that, without having to disable the fast-flux detection completely.

I cannot reproduce any issues with wiki.ipfire.org. Are there any error or log messages for this destination? If so, could you please post them here?

Thanks, and best regards,
Peter Müller

Hello @pmueller
Ipfire connections.cgi is impacted by Fast Flux: http://isc.sans.org that is used to show PORT information is detected as Fast Flux

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: SANS.edu Internet Storm Center - SANS Internet Storm Center

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster

Logs:

/var/log/squid/cache.log:Feb 27 10:44:47 squid-asnbl-helper[9343] WARN: Destination ‘isc.sans.org’ resolves to IP addresses ‘108.138.17.118’ without corresponding ASN, probably selectively announced
/var/log/squid/cache.log:Feb 27 10:44:47 squid-asnbl-helper[9343] WARN: Destination ‘isc.sans.org’ resolves to IP addresses ‘108.138.17.102’ without corresponding ASN, probably selectively announced
/var/log/squid/cache.log:Feb 27 10:44:47 squid-asnbl-helper[9343] WARN: Destination ‘isc.sans.org’ resolves to IP addresses ‘108.138.17.46’ without corresponding ASN, probably selectively announced
/var/log/squid/cache.log:Feb 27 10:44:47 squid-asnbl-helper[9343] WARN: Destination ‘isc.sans.org’ resolves to IP addresses ‘108.138.17.10’ without corresponding ASN, probably selectively announced

Late edit: Bug 12782