Cisco ASA Filtering Botnet Traffic
In the modern world, almost every business is connected to the Internet, and with this connection comes a giant potential security risk to the company. While it is possible for a business to not be on the Internet, very few have chosen to stay disconnected for a number of reasons.
One of the main threats that these businesses have to deal with is malware. In short, malware is a rogue program that attempts to take advantage of the weaknesses in a business' security. Some examples of malware include viruses, worms, trojans, and bots.
This article takes a look specifically at the bots subtype of malware. Bots are used to perform a number of different automated tasks that are controlled by a central entity.
A botnet is a group (typically a very large group) of bots that is controlled by a central attacker (or group of attackers). These bots can perform a number of tasks, from capturing traffic, to relaying attacker traffic to another bot, to performing large-scale Distributed Denial of Service (DDoS) attacks. Because of this, they are an important resource for attackers (and no business wants to become the prey of these attackers, either as a target or as a host of bots).
One of the methods that can be used on the Cisco Adaptive Security Appliance (ASA) platform to avoid becoming a target of these types of attacks is to deploy its Botnet Traffic Filter. This article takes a look at how the Botnet Traffic Filter can be used to manually or automatically block these attacks from happening.
Botnet Traffic Filter Concepts
The Botnet Traffic Filter works by monitoring the outbound connections of a network. If a connection is requested to a domain name or IP address (or IP address range) that is known to be bad, the traffic is flagged, and a message is sent to the syslog of the ASA.
It is also possible for this action to be escalated to the automatic dropping of the connection.
Static Threat Database
The first way that the filter can be configured is by using static entries, which can include domain names or IP addresses, or addresses that are automatically tagged as "good" (whitelisted) or "bad"(blacklisted), depending on the configuration.
All the traffic that is matched will be logged, and traffic that is tagged as "bad" can potentially be dropped when traffic to these destinations is initiated. Entries that are configured are inserted into a Domain Name System (DNS) host cache, which is then queried as traffic is sent through the ASA.
Dynamic Threat Database
The first thing to note is that the static database is really intended to be a supplement to the dynamic database. To expect to manually enter all potential blacklist entries for all the potential bad domain names and IP ranges is really an unrealistic goal. This is why Cisco offers a dynamic threat database.
This database is maintained by Cisco and can be downloaded onto the ASA. This database is received by the ASA and kept in running memory, specifically in the DNS reverse lookup cache.
There are a number of different threat traffic types that are included within these dynamic entries, including the following:
- Ads: Include networks that are known to deliver banner ads, pop-ups, spyware, and adware
- Data tracking: Includes networks that are associated with companies and websites that offer data tracking and metric services
- Spyware: Includes networks that are known to distribute spyware, adware, greyware, and other advertising software
- Malware: Includes networks that are known to use a variety of exploits to deliver adware, spyware, and other threats
- Adult: Includes networks that are known to be associated with adult networks and services offering web hosting of adult content, advertising, content aggregation, registration, and billing
- Bot and threat networks: Include networks that are known to host infected computer control software
Botnet Traffic Filter Operation
The static database functionality of the Botnet Traffic Filter works a little differently from the dynamic functionality. When a static entry is entered into the database, the ASA will wait one minute and perform a "normal" DNS lookup of the IP address matching the configured entry; the returned response will be entered into the ASA's DNS Host Cache.
This cache is then used to match traffic (by IP address) that is sent through the ASA (exactly how and what interfaces are inspected are configurable), both white and blacklisted entries are logged, and blacklisted entries can also be configured to be dropped.
The application of the dynamic database functionality of the Botnet Traffic Filter depends on how exactly it is configured; to get the most out of the capabilities of the feature, the ASA will be configured to perform DNS inspection along with the operation of the Botnet Traffic Filter.
If DNS inspection is not enabled, the filter will provide protection only against static database blacklist entries (logging and dropping) and dynamic database entries that consist of an IP address or IP address range. It will not filter any traffic that is entered in the dynamic database using a host or domain name.
When DNS inspection is enabled, the filter will provide the most amount of protection by inspecting dynamic entries that are entered in IP address (or IP network) form and those that are entered as host or domain names.
When using the dynamic (and potentially static) capabilities, the filter will monitor the operation of the DNS inspection feature. When a DNS request is transmitted by an internal host, the ASA will match the DNS information against the entries that exist within the dynamic database. If a match is found, an entry will be added to the ASA's DNS Reverse Lookup Cache (as an IP address).
If the internal host continues to send traffic to the inquired destination, it will be matched against the DNS Reverse Lookup Cache (and the DNS Host Cache) and the traffic will be logged and potentially dropped before reaching the destination.
When put into full operation, the functionality of the Botnet Traffic Filter can certainly be quite effective, along with a larger network security plan to maintain a high level of security within a business' internal network.
Those hosts that have been infected by malicious software will be found by monitoring the log of the filter before any potential future (and external) harm can be done.