Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
3
Replies

Black hole and BOTNET filter ?

Lance Wendel
Level 1
Level 1

‎06-13-2013 05:04 AM - edited ‎03-11-2019 06:57 PM

Hi all,

I have a query regarding black hole and botnet.

My customer tends to receive traffic which is not destining to anywhere.  He wants to achieve the following. He wants to capture the traffic per SPAN and then direct them to a firewall on the inside interface and then apply botnet filter. He has a catalyst where some VRF are defined. One of the VRF is named as "SOME-VRF-BHOLE” This VRF will be mirrored to a other port and this traffic will sent so the inside interface of a firewall where Botnet feature is active.

My first question, is this doable, I mean if the traffic is black holed then the first thing which will happen by the ASA is to drop the traffic as it gets traffic destine to nowhere, if it’s a SYN/ACK then the ASA will drop the packet due to spoofing. So in other words there should be a flowing traffic which goes through the ASA to be able to apply the botnet filter. Or could someone confirm this mothered my customer has explained could be done at all.

Thanks in advance

Lance

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎06-13-2013 09:56 AM

Hello Lance,

I answered a query like this I think 2 days ago...

So you want to filter traffic via the botnet feature ( you will need to make sure the ASA has access to the internet ofcourse so it can contact the Security Intelligence Servers )

The ASA will drop the packets if they are spoofed and you have  the RPF check on.

If the traffic goes to nowhere the ASA ofcourse will drop it ( No route to host x.x.x.x)

And if we receive a SYN-ACK where there has not been a SYN, traffic will be drop due to the TCP inspection failure (unless u configure a TCP state bypass)

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Lance Wendel
Level 1
Level 1
In response to Julio Carvajal

‎06-14-2013 04:39 AM

Hi Julio

with regard to the

i answered a query like this I think 2 days ago...

could I get the link for this please?

thanks

Lance

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Lance Wendel

‎06-14-2013 08:57 AM

Hello Lance,

I tried to look for it but I could not find it ( I have answered several questions on the last few days so I do not remember the discussion header).

It was about the fact to using an ASA off-line with access to the internet to check how the botnet feature works.

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card