Cisco Cisco ASA 5540 Adaptive Security Appliance Scheda Tecnica

White Paper

Page 10 of 11

Figure 8. Integration of Botnet Traffic Filter Statistics into the ASDM Dashboard

Mitigation

Mitigation is a critical step in the botnet detection and prevention process and security incident response cycle. The

following steps can be taken to mitigate botnet infections once they have been identified by the Botnet Traffic Filter.

Manual Process

1. Security administrator identifies infected hosts reported by BTF dashboard, and on Cisco ASDM or shown in

syslog messages (as shown in the example in the next step). Next, a manual remediation process can be taken.

2. Block all transient traffic coming to and from infected hosts using “shun” or ACLs on the ASA appliance. An

administrator can perform this by the use of Cisco ASDM

or the CLI. Shun is preferred as it is dynamic and

non-persistent and will block existing connections without interfering with the static security policy (ACLs).

Example

The following is a sample syslog message generated by the Botnet Traffic Filter when it detects an infected host
that matches the Botnet Traffic Filter dynamic filtering database:

ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from
inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80
(209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list:
bad.example.com

Here’s how the resulting ACL entry would look:

access-list BLOCK_OUT extended deny ip host 10.1.1.45 host 209.165.202.129

access-list BLOCK_OUT extended permit ip any any access-group BLOCK_OUT out
interface outside

The above ACL effectively would block all IP traffic sourced from the infected host 10.1.1.45 when going to the
botnet command and control server at 209.165.202.129. Specific source or destination port can be blocked for
more granular control, as needed.

A reverse ACL can be created using the Cisco ASDM real-time log by right-clicking on the syslog messages generated by the

Botnet Traffic Filter.