Cisco ASA BotNet Filtering

Overview

The Cisco ASA Botnet filter provides a means to detect and potentially block traffic heading to known Botnet destinations.

It can do this by using both known IP addresses as well as by monitoring DNS traffic for known bad DNS queries.

It has a number of pre-requisites:

  • Seperate BotNnet (subscription) license required
  • ASA configured to use DNS in order to lookup names and address in static database
  • DNS Snooping enabled
  • Live connectivity to the Internet so that latest database an be downloaded.

Implementation

In order to implement the Botnet traffic filter the license must be enabled. This can be checked via the show version command on the CLI.

If the license is not installed, the configuration options will not be shown in ASDM but the commands will still be available via the CLI.

Configuration Steps

  1. Configure dynamic database
  2. Configure the static database
  3. Enable DNS snooping
  4. Enable the Botnet traffic filter

Configure the dynamic database

Via ASDM the database can be configured through:

Configuration ‣ Firewall ‣ Botnet Traffic Filter

Select the following options:

  • Enable Botnet Updater Client
  • Use Botnet data dynamically downloaded from updater server

After clicking Apply the database will be automatically downloaded the first time. To manually download the latest database select Fetch Botnet Database.

Or via the CLI:

dynamic-filter updater client enable
dynamic-filter use database

Configure the static ddatabase

Under Botnet Traffic Filter select Black and White Lists

Any entries in the whitelist will be allowed and not checked against the database or static entries. Entries in the blacklist will be used in conjunction with the database and monitored by the Botnet filter.

Or via the CLI:

dynamic-filter { blacklist | whitelist }
  {name <hostname> | address <ip>}

Enable DNS Snooping

Under Botnet Traffic Filter select DNS Snooping.

For global DNS Snooping, simply check the DNS Snooping Enabled option under the global interface.

Or via the CLI:

! By default the global policy is called 'global_policy'
policy map <policy-name>
  class inspection_default
    inspect dns preset_dns_map dynamic filter snoop

Enable the Botnet Traffic Filter

Under Bonet Traffic Filter select Traffic Settings.

In most situations it will be necessary to enable the Botnet filter on the external facing interface. Check the option for Traffic Classified on the appropriate interface.

It is also possible to only filter specific traffic, this can be done by selecting Manage ACL and defining the appropriate traffic. It’s also possible to specific what level of traffic will be dropped.

Note

The default traffic level to be dropped is moderate and above with all traffic being dropped.

Or via the CLI:

dynamic-filter enable [ interface <name>] [classify list <acl-name>]

! Optionally - Drop connections involved in botnet activity
dynamic-filter drop blacklist [interface <name>] [action-clasify-list <acl>] [threat-level {eq <level> | range <min-level> <max-level>}]