Руководство По Устранению Ошибки для Cisco Cisco ASA 5512-X Adaptive Security Appliance
BotNet Traffic Filter Issue with Adaptive Security
Appliance
Appliance
Document ID: 117928
Contributed by Magnus Mortensen, Vibhor Amrodia, and Dinkar
Sharma, Cisco TAC Engineers.
Jul 23, 2014
Sharma, Cisco TAC Engineers.
Jul 23, 2014
Contents
Introduction
Background Information
Troubleshoot Workflow
Step 1: Check the Dynamic Filter Database
Step 2: Ensure DNS Traffic Crosses this ASA
Step 3: Check the DNS Snoop Cache
Step 4: Test the BotNet Traffic Filter with Traffic
Background Information
Troubleshoot Workflow
Step 1: Check the Dynamic Filter Database
Step 2: Ensure DNS Traffic Crosses this ASA
Step 3: Check the DNS Snoop Cache
Step 4: Test the BotNet Traffic Filter with Traffic
Introduction
This document describes the steps to troubleshoot BotNet traffic filter functionality on the Adaptive Security
Appliance (ASA). For assistance with BotNet traffic filter configuration, see this this configuration
guide: Configuring the BotNet Traffic Filter.
Appliance (ASA). For assistance with BotNet traffic filter configuration, see this this configuration
guide: Configuring the BotNet Traffic Filter.
Background Information
The BotNet traffic filter monitors Domain Name Server (DNS) requests and responses between internal DNS
clients and external DNS servers. When a DNS response is processed, the domain associated with the
response is checked against the database of known malicious domains. If there is a match, any further traffic
to the IP address present in the DNS response is blocked. See this diagram.
clients and external DNS servers. When a DNS response is processed, the domain associated with the
response is checked against the database of known malicious domains. If there is a match, any further traffic
to the IP address present in the DNS response is blocked. See this diagram.
Check the dynamic filter database. The ASA periodically downloads a current database of known
malicious domains and IP addresses. Cisco's Security Intelligence Operations (SIO) determines that
the domains and IP addresses in this database serve malware or other malicious content.
malicious domains and IP addresses. Cisco's Security Intelligence Operations (SIO) determines that
the domains and IP addresses in this database serve malware or other malicious content.
1.
Ensure that DNS traffic crosses the ASA. A user on the internal network or an infected machine on
the internal network tries to access a malicious server in order to download malware or participate in a
BotNet. In order to connect to the malicious server, the host machine must perform a DNS lookup. In
this example, the machine attempts access to badsite.cisco.com. The host machine sends a DNS
request to a local DNS server or directly to an external DNS server. In both situations, a DNS request
must traverse the ASA and the DNS response must also traverse the same ASA.
the internal network tries to access a malicious server in order to download malware or participate in a
BotNet. In order to connect to the malicious server, the host machine must perform a DNS lookup. In
this example, the machine attempts access to badsite.cisco.com. The host machine sends a DNS
request to a local DNS server or directly to an external DNS server. In both situations, a DNS request
must traverse the ASA and the DNS response must also traverse the same ASA.
2.