cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
354
Views
0
Helpful
3
Replies

Black hole and BOTNET filter ?

Lance Wendel
Level 1
Level 1

Hi all,

I have a query regarding black hole and botnet.

My customer tends to receive traffic which is not destining to anywhere.  He wants to achieve the following. He wants to capture the traffic per SPAN and then direct them to a firewall on the inside interface and then apply botnet filter. He has a catalyst where some VRF are defined. One of the VRF is named as "SOME-VRF-BHOLE” This VRF will be mirrored to a other port and this traffic will sent so the inside interface of a firewall where Botnet feature is active.

My first question, is this doable, I mean if the traffic is black holed then the first thing which will happen by the ASA is to drop the traffic as it gets traffic destine to nowhere, if it’s a SYN/ACK then the ASA will drop the packet due to spoofing. So in other words there should be a flowing traffic which goes through the ASA to be able to apply the botnet filter. Or could someone confirm this mothered my customer has explained could be done at all.

Thanks in advance

Lance

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Lance,

I answered a query like this I think 2 days ago...

So you want to filter traffic via the botnet feature ( you will need to make sure the ASA has access to the internet ofcourse so it can contact the Security Intelligence Servers )

The ASA will drop the packets if they are spoofed and you have  the RPF check on.

If the traffic goes to nowhere the ASA ofcourse will drop it ( No route to host x.x.x.x)

And if we receive a SYN-ACK where there has not been a SYN, traffic will be drop due to the TCP inspection failure (unless u configure a TCP state bypass)

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio

with regard to the

i answered a query like this I think 2 days ago...

could I get the link for this please?

thanks

Lance

Hello Lance,

I tried to look for it but I could not find it ( I have answered several questions on the last few days so I do not remember the discussion header).

It was about the fact to using an ASA off-line with access to the internet to check how the botnet feature works.

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card