Pages

Wednesday, December 16, 2015

Botnet Filtering on ASA


A botnet is a network of compromised computers, often referred to as "bots" or "zombies," that are under the control of a single entity, known as the botmaster or bot herder. These compromised computers are typically infected with malicious software, known as malware, which allows the botmaster to remotely control them without the users' knowledge or consent.

Botnets are commonly used for various malicious activities, including:

1. **Distributed Denial of Service (DDoS) Attacks**: Botnets are frequently used to launch DDoS attacks against websites, servers, or networks by flooding them with a massive volume of traffic. This overwhelms the targeted resources, causing them to become unavailable to legitimate users.

2. **Spam and Phishing Campaigns**: Botnets can be used to send out vast quantities of spam emails or phishing messages. These messages may contain malicious links or attachments designed to steal sensitive information, such as login credentials or financial data, from unsuspecting recipients.

3. **Credential Stuffing and Brute Force Attacks**: Botnets are often used to automate credential stuffing attacks, where large sets of stolen usernames and passwords are systematically tested against various websites, online services, or applications. They may also conduct brute force attacks to crack passwords through trial and error.

4. **Click Fraud and Ad Fraud**: Botnets can generate fake clicks or views on online advertisements, websites, or videos to fraudulently inflate advertising revenue or manipulate online metrics. This can deceive advertisers, website owners, and advertising networks, resulting in financial losses.

5. **Cryptocurrency Mining**: Some botnets are used to distribute cryptocurrency mining malware, also known as cryptojacking, which hijacks the computing resources of infected devices to mine cryptocurrencies such as Bitcoin, Monero, or Ethereum. This can degrade system performance and increase energy consumption.

6. **Data Theft and Espionage**: Botnets may be used to steal sensitive data, such as intellectual property, trade secrets, or personal information, from compromised devices. This stolen data can be used for various purposes, including espionage, identity theft, or financial fraud.

Combatting botnets requires a multi-faceted approach, including proactive measures such as maintaining up-to-date security software, implementing strong authentication practices, and educating users about the risks of malware infections. Additionally, law enforcement agencies, cybersecurity researchers, and industry stakeholders collaborate to disrupt and dismantle botnet operations through legal action, botnet takedowns, and coordination efforts.

Botnet Filtering on ASA: Reputation based filtering

Cisco has Security Intelligence Operations known as SIO
Inform, protect and respond
Early-warning intelligence, threat, and vulnerability analysis, and proven Cisco mitigation solutions to help protect networks.
They collect information about malicious traffic patterns all over the world and try to identify the people who are responsible for it.

We need to train ASA to identify malicious ip address and stop any traffic going from pc to that device.

To implement this on ASA, we need to have SIO based infrastructure and need to buy time-based license.

Basic requirements:
ASA should have reachability to cisco server to download dynamic database.

How it works?
DNS on the ASA: to resolve the name of cisco server
Turn on “DNS Snooping” : ASA will look out for each DNS request that customers are making out to the internet
Enable Client and use dynamic database
Optionally create static lists
Specify action in regard to interface

ASDM :
1. Config -> Device Management -> DNS -> DNS Client -> Add info
Primary DNS server : 8.8.8.8
Enable on outside interface

2. Config -> Firewall -> Botnet Traffic Filter -> DNS Snooping  : for botnet option we need license

3. Config -> Firewall -> Botnet Traffic filter -> Botnet Database

4. Config -> Firewall -> Botnet Traffic filter -> Black and White Lists

5.  Config -> Firewall -> Botnet Traffic filter -> Traffic Settings: to specify interface on which traffic to be blocked


No comments:

Post a Comment