'mirrors.fedoraproject.org' detected as Fast Flux

IPFire version: 2.27 core 166.

I was trying to use the EPEL repository on Rocky Linux, which uses mirrors.fedoraproject.org to get the packages, and found out that the web proxy is blocking it for being fast flux.

After reading this post I managed to get this logs:

bash-5.1$ /usr/bin/asnbl-helper.py /var/ipfire/proxy/asnbl-helper.conf
Apr 08 08:18:17 squid-asnbl-helper[23564] WARN: No ASNBL configured. This is acceptable as long as this script is configured to do anything, you just have been warned...
Apr 08 08:18:17 squid-asnbl-helper[23564] INFO: ASN database operational - excellent. Waiting for input...
Apr 08 08:18:38 squid-asnbl-helper[23564] WARN: Destination 'mirrors.fedoraproject.org' exceeds ASN diversity threshold (7 > 5), possibly Fast Flux: [81, 3701, 17314, 21785, 22753, 36850, 54455]
Apr 08 08:18:38 squid-asnbl-helper[23564] INFO: Denying access to possible Fast Flux destination 'mirrors.fedoraproject.org'

If I change the Threshold from 5 to 8 the problem disappears, but I guess this is not OK.

This is mentioned here, but the solution is not working for me.

I tried adding mirrors.fedoraproject.org and fedoraproject.org to Custom whitelist > Allowed domains, but is not working.

What should I do?

Thank you.


oh well, Fedora and their non-optimal network setup again… :frowning:

Not really. The greater the threshold is, the more likely a fast flux destination will slip through.

(Actually, I have recently noticed some botnets to switch to 3 or 4 IP addresses per fast flux FQDN, presumably to bypass detection mechanisms such as this one. When I did some measurements last time, even a couple of legitimate sites was resolving to 4 IP addresses in 4 distinct ASNs, so false positives become more likely.)

Do you have the URL filter enabled and the "enable custom whitelist” ticked?

Thanks, and best regards,
Peter Müller

Hi @pmueller

Yes, they are both enabled:


Searching on google I found this discussion you had on September last year. It looks like the same problem, right?

Thank you.