Protect a Network from Botnet Traffic using Cisco Botnet Traffic Filter

Protecting a network from botnet traffic can save the network from congestion problems that botnet traffic would exert on the company network, the leak of passwords and other sensitive information, and protect against the possible infection to company computers, which would just aid the owners of the botnet.

Keeping up-to-date with what traffic is botnet traffic and what isn’t would be impossible. Cisco has a service that provides updates to an ASA that has Botnet Traffic Filter update client enabled. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity.

Botnet Traffic Filter should be deployed at the edge of the enterprise Internet edge, as the botnet database only has information about external botnets. It is also best to filter the external threat as close to the source as possible. This feature is restricted to IPv4 traffic. The Botnet Traffic Filter is supported in all modes (single and multiple context), and in routed and transparent modes.

Enable DNS client on ASA to allow it to resolve the address of Cisco Security Intelligence Operations (CSIO) updater service, so the dynamic filter update client to fetch updates.

dns domain-lookup outside

Enable the Botnet Traffic Filter database update. Once the initial database has been downloaded to disk0:/internal_df_file, updates are downloaded at 60 minute intervals (default).

! Enable dynamic-filter update client
dynamic-filter updater-client enable
! Use the database downloaded by the client
dynamic-filter use-database

Classify the traffic that will be subject to dynamic traffic filtering by creating an access control list (ACL) that matches the traffic to be filtered.

access-list DYNAMIC-FILTER_ACL extended permit tcp any any eq 80

Enable dynamic filtering on the Internet-facing (external) interface by using the classification ACL defined in the previous step. We could perform filtering on all traffic for the interface by not including the keyword classify-list.

dynamic-filter enable interface outside classify-list DYNAMIC-FILTER_ACL

Enable DNS snooping on the external interface by adding to or modifying the DNS inspection policy map for the external interface.

class-map DYNAMIC-FILTER_SNOOP_CLASS
  match port udp eq domain
policy-map DYNAMIC-FILTER_SNOOP_POLICY
  class DYNAMIC-FILTER_SNOOP_CLASS
    inspect dns dynamic-filter-snoop

service-policy DYNAMIC-FILTER_SNOOP_POLICY interface outside

Define local whitelists and/or blacklists if needed.

dynamic-filter blacklist
  name bad1.example.com
  name bad2.example.com
  address 10.1.1.1 255.255.255.0
dynamic-filter whitelist
  name startup-config.com
  address 192.168.26.1 255.255.255.255

Troubleshoot

If you are having trouble updating the database, the command below will test connectivity to Cisco SIO servers. Note, this does not save the database.

dynamic-filter database fetch

You can also purge the database with the following command, you will want to use this command to remove the database and not remove the files (disk0:/internal_df_file and disk0:/internal_df_data) manually.

dynamic-filter database purge

This should help protect your network from botnet traffic, and if any of your machines become infected with malware from a botnet, this will prevent the malware from communicating with the rest of the botnet, by blocking command and control traffic.

Please note that an annual license is required to enable the Dynamic Filter.

Aug 7th, 2011 • Posted in ASA, Data Plane Protection, Security
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>