06-13-2013 05:04 AM - edited 03-11-2019 06:57 PM
Hi all,
I have a query regarding black hole and botnet.
My customer tends to receive traffic which is not destining to anywhere. He wants to achieve the following. He wants to capture the traffic per SPAN and then direct them to a firewall on the inside interface and then apply botnet filter. He has a catalyst where some VRF are defined. One of the VRF is named as "SOME-VRF-BHOLE” This VRF will be mirrored to a other port and this traffic will sent so the inside interface of a firewall where Botnet feature is active.
My first question, is this doable, I mean if the traffic is black holed then the first thing which will happen by the ASA is to drop the traffic as it gets traffic destine to nowhere, if it’s a SYN/ACK then the ASA will drop the packet due to spoofing. So in other words there should be a flowing traffic which goes through the ASA to be able to apply the botnet filter. Or could someone confirm this mothered my customer has explained could be done at all.
Thanks in advance
Lance
06-13-2013 09:56 AM
Hello Lance,
I answered a query like this I think 2 days ago...
So you want to filter traffic via the botnet feature ( you will need to make sure the ASA has access to the internet ofcourse so it can contact the Security Intelligence Servers )
The ASA will drop the packets if they are spoofed and you have the RPF check on.
If the traffic goes to nowhere the ASA ofcourse will drop it ( No route to host x.x.x.x)
And if we receive a SYN-ACK where there has not been a SYN, traffic will be drop due to the TCP inspection failure (unless u configure a TCP state bypass)
Julio
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-14-2013 04:39 AM
Hi Julio
with regard to the
i answered a query like this I think 2 days ago...
could I get the link for this please?
thanks
Lance
06-14-2013 08:57 AM
Hello Lance,
I tried to look for it but I could not find it ( I have answered several questions on the last few days so I do not remember the discussion header).
It was about the fact to using an ASA off-line with access to the internet to check how the botnet feature works.
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide