Skip Links

Network World

Avner Izhar

Evaluating the ASA Botnet filter

Cisco ASA Botnet filter test and evaluation

By Avner Izhar on Sat, 10/03/09 - 2:33am.

 

When the ASA Botnet filter feature was announced I thought that it's an interesting concept and is definitely worth trying. One of the interesting concepts that this feature introduces is the ability to monitor your outbound traffic and to know if there are flows in it that should not be allowed. This is an option with dedicated devices but the firewall is usually focused on inbound traffic and not outbound. Botnets make it important to know what is going out as well.

When the time permitted, I upgraded my 5505 to 8.2(1) and got a Botnet 30 days evaluation license. Installed in routed mode with no rules besides basic NAT and enabled all the Botnet check marks. One gotcha here is that you need to configure a DNS on your ASA for the updates to occur, once done the database got updated and monitoring was going live.

Two weeks later I had no indication of Botnet activity in the reporting section of ASDM, there were some entries indicating access to a black listed sites (geocities.com was in it to my surprise) but since they were with tcp port 80 (http), they were not considered Botnets. Great, my home/work computers are clean but how do I get this thing to find something? I spent some time searching for a way to get a VMware guest XP infected but decided the risk is not worth it. Instead I wrote a small batch file that open a tcp session to a list of sites over and over again, in the same way that a Bot would do.

Here is the batch file content:

:start

telnet drbach.pl 12330

telnet orgsite.info 12330

telnet martuz.cn 12330

telnet 007webs 12330

telnet woocasino.com 12330

telnet basketballsport.cn 12330

telnet adultping.net 12330

goto start

 

The list of sites was taken from: http://www.malwaredomainlist.com , which is a non-commercial community project. Most of the commercial sites that has those lists will not share them but this site was a great resource.

After a short while the ASA's Botnet reporting showed the following reports:




Botnet Hosts - hosts that are suspected in being infected by a Botnet

Botnet Hosts

Botnet sites - sites that have been the target of a Botnet 'call home' activity

Botnet Sites

 

 

But what if the destination is a well known site; would the ASA generate a false alarm if the same tcp session attempt happen? For that I modified the batch file to have the following content:

:start

telnet google.com 12330

telnet yahoo.com 12330

telnet cnn.com 12330

telnet networkworld.com 12330

telnet microsoft.com 12330

telnet avaya.com 12330

telnet hp.com 12330

telnet riverbed.com 12330

goto start

 

The ASA didn't report anything when running this batch which was the expected behavior.

 

Anyone tried it in production environment and actually discovered some real Botnets with it?

 

About Cisco Knowledge Share with Avner Izhar

Avner Izhar is an experienced IT professional; he has 14 years of experience in the networking area, on multiple continents, and has filled positions in post sales, pre sales and training. He currently holds CCIE in Voice (#15999), CCSI (#31623), CCVP and others. He is also the author of two CCIE voice training related books: CCIE Voice Technology Workbook and CCIE Voice written study guide, both published under NLI. When he is not blogging for Network World, he work as a Consulting System Engineer for World Wide Technology.

Through this blog, Avner will share his personal experience and assist junior and senior engineers in their IT tasks.

 

Most Discussed Posts

Blog Roll
Aamir Lakhani's Cloud Centrics Tech Blog
http://www.cloudcentrics.com
Bob Olwig's Perspectives on Technology & Business
http://bobolwig.wordpress.com