Sunday, October 11, 2009

Blocking the ASProx Fast Flux Botnet

With the IP addresses of the ASProx fast flux botnet changing between infected residential computers nearly daily, the only effective methods of blocking it are through the use of a DNS black hole or with Snort Inline.

Gary Warner provides an excellent write up on the botnet at his blog at:

Today, I updated the DNS Super Blackhole at You can download the DNS Super Black Hole files for Smoothwall at Emerging Threats from:

* config-hosts ( 275,937 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Updated 10-11-2009: added 9,116 cybercrime and malware domains identified since 6-20-2009.

* hosts ( Protect your home from 275,937 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback (blacklisted domains must resolve to Updated 10-11-2009. If you believe that your domain should not be listed, please let us know and we will review it for delisting.

- James McQuaid