Manualshelf

Data Sheet

ManualsBrandsCisco Manualshardware firewallsCisco ASA 5545-X Adaptive Security Appliance - No Payload Encryption
12345678910
White Paper
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 11
Classification
Traffic that passes through the Botnet Traffic Filter is classified into four categories:
Blacklist
This is traffic to or from an IP address that is considered to be malicious. This IP address can be either an IP
address/network entry in the dynamic blacklist or administrator-configured blacklist, or it can be a snooped IP
address that was found in a DNS reply for a blacklisted domain.
Whitelist
This is traffic to or from an IP address that is considered to be good. It is part of the administrator-configured
lists.
Greylist
A greylist IP address has been resolved to one or more blacklist entries as well as one or more unknown
entries.
Unknown/None
An IP address that does not map to a domain in either a blacklist or whitelist. No syslogs or statistics will be
generated for this traffic.
Once an IP address is found for a blacklisted domain, a rule is added to the dynamic-filter ASP rule table and
statistics are kept for the number of times that domain is hit, the client that was accessing it, and the TCP/UDP port
that was used to connect. In addition, log messages are produced when a blacklisted IP address is hit that details
the src/dst IP and ports as well as the domain name. A similar process is applied for white listed Fully Qualified
Domain Names (FQDNs).
Using the Botnet Traffic Filter, Cisco ASA administrators can get statistics for the overall number of blacklist,
whitelist, and greylist hits for an interface, as well as summary reports for recent activity.
Dynamic Filter DNS Snooping
The Dynamic Filter DNS snooping feature looks at UDP DNS replies (A and CNAME records only) and builds a
DNSRC that maps the IP addresses in those replies to the domain names they match.
DNS snooping should only be enabled for DNS traffic. Failure to do so will result in non-DNS traffic being dropped
because it is not adhering to the DNS protocol. DNS snooping should only be enabled for the interface that is facing
the Internet, since the Botnet Traffic Filter database is aimed at addressing the external threat of botnets.
It is also not a good practice to fill up your DNSRC with internal information, which can cause early flushing of
external information.
DNSRC housekeeping removes entries from the DNSRC on a regular basis.
5
The amount of time that an entry stays
in the DNSRC depends on the time to live (TTL) value in the DNS reply that was snooped.
5
The default housekeeping interval is 20 minutes, but is adjusted shorter as the DNSRC grows.