How the botnet traffic filter works – Cisco ASA 5505 User Manual

Page 1169

Advertising
background image

55-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 55 Configuring the Botnet Traffic Filter

Information About the Botnet Traffic Filter

How the Botnet Traffic Filter Works

Figure 55-1

shows how the Botnet Traffic Filter works with the dynamic database plus DNS inspection

with Botnet Traffic Filter snooping.

Figure 55-1

How the Botnet Traffic Filter Works with the Dynamic Database

Figure 55-2

shows how the Botnet Traffic Filter works with the static database.

Figure 55-2

How the Botnet Traffic Filter Works with the Static Database

Security Appliance

DNS

Reverse

Lookup Cache

Infected

Host

Malware Home Site

209.165.201.3

Syslog Server

Dynamic

Database

DNS Server

DNS Snoop

1

DNS Request:
bad.example.com

3

Connection to:
209.165.201.3

2

DNS Reply:
209.165.201.3

Internet

Botnet Traffic
Filter

3b. Send
Syslog Message/Drop Traffic

1a. Match?

3a. Match?

2a. Add

248631

Security Appliance

DNS

Host Cache

Infected

Host

Malware Home Site

209.165.201.3

Syslog Server

Static

Database

DNS Server

Botnet Traffic

Filter

3

Connection to:
209.165.201.3

1a. DNS Request:
bad.example.com

Internet

3b. Send
Syslog Message/Drop Traffic

2a. Add

1

Add entry:
bad.example.com

2

DNS Reply:
209.165.201.3

3a. Match?

248632

Advertising