Data Sheet
White Paper
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 11
Figure 3. Cisco ASA Botnet Traffic Filter Operation
The Cisco ASA Botnet Traffic Filter has three main components:
● Dynamic and Administrator Blacklist Data
The Botnet Traffic Filter uses a database of malicious domain names and IP addresses that is provided by
Cisco Security Intelligence Operations. This database is maintained by Cisco Security Intelligence Operations
and is downloaded dynamically from an update server. Administrators can also configure their own local
blacklists and whitelists.
● Traffic Classification and Reporting
Botnet Traffic Filter traffic classification is configured through the dynamic-filter command as shown in Step 3
in the configuration section. The dynamic filter compares the source and destination addresses of traffic
against the IP addresses that have been discovered for the various lists available (dynamic black, local white,
local black), and logs and reports the hits against these lists accordingly.
● Domain Name System (DNS) Snooping
In order to map IP addresses to domain names that are contained in the dynamic database or local lists, the
Botnet Traffic Filter uses DNS snooping in conjunction with DNS inspection. Dynamic Filter DNS snooping
looks at User Datagram Protocol (UDP) DNS replies and builds a DNS reverse cache (DNSRC), which maps
the IP addresses in those replies to the domain names they match. DNS snooping is configured via the
Modular Policy Framework (MPF) policies.
4
4
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html