Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

BotNet Traffic Filter Issue with Adaptive Security Appliance

Document ID: 117928

Updated: Jul 23, 2014

Contributed by Magnus Mortensen, Vibhor Amrodia, and Dinkar Sharma, Cisco TAC Engineers.

   Print

Introduction

This document describes the steps to troubleshoot BotNet traffic filter functionality on the Adaptive Security Appliance (ASA). For assistance with BotNet traffic filter configuration, see this this configuration guide: Configuring the BotNet Traffic Filter.

Background Information

The BotNet traffic filter monitors Domain Name Server (DNS) requests and responses between internal DNS clients and external DNS servers. When a DNS response is processed, the domain associated with the response is checked against the database of known malicious domains. If there is a match, any further traffic to the IP address present in the DNS response is blocked. See this diagram.

  1. Check the dynamic filter database. The ASA periodically downloads a current database of known malicious domains and IP addresses. Cisco's Security Intelligence Operations (SIO) determines that the domains and IP addresses in this database serve malware or other malicious content.
  2. Ensure that DNS traffic crosses the ASA. A user on the internal network or an infected machine on the internal network tries to access a malicious server in order to download malware or participate in a BotNet. In order to connect to the malicious server, the host machine must perform a DNS lookup. In this example, the machine attempts access to badsite.cisco.com. The host machine sends a DNS request to a local DNS server or directly to an external DNS server. In both situations, a DNS request must traverse the ASA and the DNS response must also traverse the same ASA.
  3. Check the DNS-snoop cache. The DNS-snoop function of DNS inspection, if enabled, monitors DNS traffic and determines that a DNS A-record response has returned from the DNS server. The DNS-snoop function takes the domain and IP addresses present in the A-Record response and adds it to the DNS-snoop cache. The domain is checked against the downloaded database from step 1 and a match is found. The DNS response is not dropped and is allowed to pass through.
  4. Test the BotNet traffic filter with traffic. Because there was a match in step 3, the ASA adds an internal rule that indicates all traffic to or from the IP associated with badsite.cisco.com is dropped. The infected computer then tries to access the URL badsite.cisco.com server and traffic is dropped. 

Troubleshoot Workflow

Use these steps in order to troubleshoot and verify that the feature works.

Step 1: Check the Dynamic Filter Database

Check if the database has downloaded and enter the command show dynamic-filter data. See this sample output: 

# show dynamic-filter data      
Dynamic Filter is using downloaded database version '1404865586'
Fetched at 21:32:02 EDT Jul 8 2014, size: 2097145
Sample contents from downloaded database:
dfgdsfgsdfg.com bulldogftp.com bnch.ru 52croftonparkroad.info
paketoptom.ru lzvideo.altervista.org avtovirag.ru cnner.mobi
Sample meta data from downloaded database:
threat-level: very-high, category: Malware,
description: "These are sources that use various exploits to deliver adware,
spyware and other malware to victim computers. Some of these are associated
with rogue online vendors and distributors of dialers which deceptively
call premium-rate phone numbers." threat-level: high, category: Bot
and Threat Networks, description: "These are rogue systems that
control infected computers. They are either systems hosted on
threat networks or systems that are part of the botnet itself
threat-level: moderate, category: Malware,
description: "These are sources that deliver deceptive or malicious anti-spyware,
anti-malware, registry cleaning, and system cleaning software."
threat-level: low, category: Ads,
description: "These are advertising networks that deliver banner ads,
interstitials, rich media ads, pop-ups, and pop-unders for websites,
spyware and adware. Some of these networks send ad-oriented HTML emails
and email verification services."
Total entries in Dynamic Filter database:
Dynamic data: 80677 domain names , 4168 IPv4 addresses
Local data: 0 domain names , 0 IPv4 addresses
Active rules in Dynamic Filter asp table:
Dynamic data: 0 domain names , 4168 IPv4 addresses
Local data: 0 domain names , 0 IPv4 addresses

 In this output, the ASA indicates the time of the last successful database fetch and a sample of the content in this database. If you run the command show dynamic-filter data, and the command shows that no database has downloaded, troubleshoot this step first. Common issues that prevent the ASA from obtaining the dynamic filter database include:

  • Missing or incorrect DNS configuration on the ASA. The dynamic filter updater client must resolve the update server's host name. DNS must be configured and functional on the ASA. Ping well- known domains from the command-line and determine if the ASA can resolve hostnames.
  • No Internet access from the ASA. If the ASA is on a network that does not have access to the internet, or an upstream device blocks the ASA's outside IP address from access to the internet, the update fails.
  • Updater client is not enabled. The command dynamic-filter updater-client enable must be configured so that the ASA can download the database.

Enter the command debug dynamic-filter updater-client in order to debug the database. See this sample output from the command:

Dynamic Filter: Updater client fetching dataDynamic Filter: update 
startingDBG:01:2902417716:7fff2c33ec28:0000: Creating fiber
0x7fff2c4dce90 [ipe_request_fiber], stack(16384) =
0x7fff2c505c60..0x7fff2c509c58 (fc=2),
sys 0x7fff20906038 (FIBERS/fibers.c:fiber_create:544)
DBG:02:2902417779:7fff2c4dce90:0000: Jumpstarting ipe_request_fiber 0x7fff2c4dce90,
sys 0x7fff2c33eba0 (FIBERS/fibers-jumpstart.c:_fiber_jumpstart:36)
Dynamic Filter: Created lua machine, launching lua script
DBG:03:2902422654:7fff2c4dce90:0000: Connecting to 00000000:1591947792
(SAL/netsal.c:netsal_client_sock_connect:323)
DBG:04:2902422667:7fff2c4dce90:0000: otherPifNum 3, nexthop4 17c12ac
(SAL/netsal.c:netsal_client_sock_connect:374)
DBG:05:2902422691:7fff2c4dce90:0000: about to call netsal__safe_encapsulate for
(sal-np/ssl/CONNECT/3/208.90.58.5/443/M/0/NOTUNGW)
(SAL/netsal.c:netsal_client_sock_connect:446)
DBG:06:2902422920:7fff2c4dce90:0000: connection timeout set for 10 seconds
(SAL/netsal.c:netsal_client_sock_connect:473)
DBG:07:2902750615:7fff2c4dce90:0000: SALNPCLOSENOTIFY: p=0x0 0/0 more buffered
(SAL/channel-np.c:_sal_np_ioctl:1312)
Dynamic Filter: Processing updater server response
Dynamic Filter: update file url1 =
http://updates.ironport.com/threatcast/1.0/blacklist/2mb-1file/1404865586
Dynamic Filter: update file url2 =
http://updates.ironport.com/threatcast/1.0/blacklist/2mb-1file/1404865586
Channel NP p=0x0000000000000000 0/0 more bufferedchannel-np.cDBG:08:2902784011:
7fff2c4dce90:0000: Connecting to 00000000:538976288
(SAL/netsal.c:netsal_client_sock_connect:323)
DBG:09:2902784026:7fff2c4dce90:0000: otherPifNum 3, nexthop4 17c12ac
(SAL/netsal.c:netsal_client_sock_connect:374)
DBG:10:2902784051:7fff2c4dce90:0000: about to call netsal__safe_encapsulate for
(sal-np/tcp/CONNECT/3/208.90.58.25/80/M/0/NOTUNGW)
(SAL/netsal.c:netsal_client_sock_connect:446)
DBG:11:2902784241:7fff2c4dce90:0000: connection timeout set for 10 seconds
(SAL/netsal.c:netsal_client_sock_connect:473)
DBG:12:2902914651:7fff2c4dce90:0000: SALNPCLOSENOTIFY: p=0x0 0/0 more buffered
(SAL/channel-np.c:_sal_np_ioctl:1312)
DBG:13:2902914858:7fff2c4dce90:0000: Connecting to 00000000:25465757
(SAL/netsal.c:netsal_client_sock_connect:323)
DBG:14:2902914888:7fff2c4dce90:0000: otherPifNum 3, nexthop4 17c12ac
(SAL/netsal.c:netsal_client_sock_connect:374)
DBG:15:2902914912:7fff2c4dce90:0000: about to call netsal__safe_encapsulate for
(sal-np/tcp/CONNECT/3/208.90.58.25/80/M/0/NOTUNGW)
(SAL/netsal.c:netsal_client_sock_connect:446)
DBG:16:2902915113:7fff2c4dce90:0000: connection timeout set for 10 seconds
(SAL/netsal.c:netsal_client_sock_connect:473)
Channel NP p=0x0000000000000000 0/0 more bufferedchannel-np.cDBG:17:2907804137:
7fff2c4dce90:0000: SALNPCLOSENOTIFY: p=0x0 0/0 more buffered
(SAL/channel-np.c:_sal_np_ioctl:1312)
Dynamic Filter: Successfully downloaded the update file from url1
Dynamic Filter: Successfully finished lua script
DBG:18:2907804722:7fff2c4dce90:0000: Fiber 0x7fff2c4dce90 finished leaving 3 more
(FIBERS/fibers-jumpstart.c:_fiber_jumpstart:64)
DBG:19:2907804746:7fff2c4dce90:0000: Exiting fiber 0x7fff2c4dce90
(FIBERS/fibers.c:fiber__kill:1287)
DBG:20:2907804752:7fff2c4dce90:0000: Fiber 0x7fff2c4dce90 terminated, 2 more
(FIBERS/fibers.c:fiber__kill:1358)
Dynamic Filter: Downloaded file successfully
Channel NP p=0x0000000000000000 0/0 more bufferedchannel-np.cDynamic Filter: read
ramfs bytes 2097152
Dynamic Filter: file MD5 verification check succeeded
Dynamic Filter: decrypt key succeeded
Dynamic Filter: decrypt file succeeded byte = 2097145
Dynamic Filter: updating engine bytes = 2097145
Dynamic Filter: meta data length = 2987
INFO: Dynamic Filter: update succeeded

In this output, you can see these steps that the updater takes when it obtains a new database:

  • The updater reaches out to the URL http://update-manifests.ironport.com in order to determine which database it downloads.
  • The manifest server returns two possible URLs for the download.
  • The updater client downloads the database.
  • The database is decrypted and stored in memory for use by the dynamic filter process.

Connectivity issues for different update servers manifest as errors in this output and help troubleshoot further. Force the updater client to run manually with the command dynamic- filter database fetch.

Step 2: Ensure DNS Traffic Crosses this ASA

BotNet traffic filter functionality of the ASA is built off of the IP addresses that match domains, so the ASA must be in-line with the DNS requests and responses that traverse the network. Some topologies might cause DNS traffic to take a path that does not include the ASA in question. Most networks have internal DNS servers that act as DNS forwarders and caches for internal usrs. As long as these servers, when they forward a DNS request for a domain they do not own or cannot answer for, forward the request to a server that requires traversing the ASA, no problem should occur. See these topologies with and without internal DNS servers:

This sample topology shows users that point to an internal DNS server which forwards to an external DNS server.

This sample topology shows users that point directly to an external DNS server. 

In both topology examples, the key to a functional BotNet traffic filter deployment is that DNS A- record requests for external domains must pass through the ASA that runs the DNS-snoop feature. In the internal server example, if the internal DNS server takes a different network path in order to reach the internet than the user machine, and in the process does not traverse the ASA, the DNS-snoop table will not contain IP-to-domain maps caused by user machine DNS requests and the user machine might not be filtered as expected.

Use these techniques in order to check that the DNS traffic passes through the ASA:

  • Check the service-policy. Look at the output of show service-policy in order to determine if the DNS inspection is applied, configured with the dynamic-filter-snoop keyword, and sees traffic. The packet count associated with the DNS inspection should increment as you make DNS requests.
  • Use captures. The DNS-snoop feature looks at the DNS packets that traverse the ASA, so it is important that you check that the packets reach the ASA. Use the ASA's built-in capture function in order to make sure that DNS traffic enters and leaves this ASA properly.

Step 3: Check the DNS Snoop Cache

DNS-snoop cash should populate with IP-to-domain maps. A single IP address might have a limitless number of domains assocated with it. This is how companies that host websites can serve thousands of domains with just a few IP addresses. Enter the command show dynamic-filter dns-snoop detail and see a dump of the data currently in the DNS-snoop cache. This is a record of all IP-to-domain maps that the ASA obtains with the use of the DNS-snoop function of DNS inspection. See this sample output:

DNS Reverse Cache Summary Information: 3 addresses, 3 names
Next housekeeping scheduled at 22:28:01 EDT Jul 8 2014,
DNS reverse Cache Information:
[198.151.100.77] flags=0x1, type=0, unit=0 b:u:w=0:1:0, cookie=0x0
[cisco.com] type=0, ttl=31240
[198.151.100.91] flags=0x23, type=0, unit=0 b:u:w=1:1:0, cookie=0x0
[magnus.cisco.com] type=1, ttl=0
[raleigh.cisco.com] type=0, ttl=0
[198.151.100.1] flags=0x2, type=0, unit=0 b:u:w=1:0:0, cookie=0x0
[badsite.cisco.com] type=1, ttl=0

In this example, the ASA learns information about three IP addresses but four domains. magnus.cisco.com and raleigh.cisco.com both resolve to 198.151.100.91. In this example, two of the domains, magnus.cisco.com and badsite.cisco.com list as type 1. This means that the domain is found in the database as a blacklisted domain. The other domains are listed as type 0, which indicates that the domain is not blacklisted or whitelisted and is just a normal domain.

  1. Check that the DNS requests from a user machine eventially traverse the firewall and are processed by DNS-snoop and make a DNS request. Check the cache for an entry that matches. Test and use a domain that resolves but is obscure enough that it was not queried recently and is already in the table. For example, the domain asa.cisco.com is chosen. The command-line tool nslookup is used to query that hostname. See this example:

    $ nslookup asa.cisco.com

    Name: asa.cisco.com
    Address: 198.151.100.64
  2. Check the DNS-snoop cache. See this example:

    DNS Reverse Cache Summary Information: 5 addresses, 7 names 
    Next housekeeping scheduled at 22:48:01 EDT Jul 8 2014,
    DNS reverse Cache Information:
    [198.151.100.64] flags=0x11, type=0, unit=0 b:u:w=0:1:0, cookie=0x0
    [asa.cisco.com] type=0, ttl=86359

The entry is present in the DNS-snoop cache. If the entry was not present before the nslookup test, it would mean that the DNS-snoop feature works and that the ASA works correctly with DNS requests and responses.

If the entry does not show, ensure that the DNS traffic passes through the ASA. You might need to flush the DNS cache on the host machine or the internal DNS servers, if applicable, in order to ensure that requests are not served from a cache. 

The DNS-snoop feature does not support EDNS0. If the DNS client or server uses EDNS0, the ASA might not populate the DNS-snoop cache with IP-to-domain maps if the response has additional resource records present. This limitation is tracked by Cisco bug ID CSCta36873.

Step 4: Test the BotNet Traffic Filter with Traffic

In step 3, the DNS-snoop cache shows that domain badsite.cisco.com is on the blacklist. Ping the domain in question in order to test the botnet functionality. When you ping the the domain, it is safer than if you try to load the domain in a web browser. Do not test the dynamic filter feature by using your web browser because your machine might be compromised if the browser loads malicious content. Use Internet Control Message Protocol (ICMP) because it is a safer method and is a valid test of the BotNet traffic filter as it blocks based on IP and nothing specific to port or protocol.

If you do not know of a blacklisted site, you can find one easily. Enter the command dynamic-filter database find <search_term> to find domains that are blacklisted and match the search term provided. See this example:

ASA# dynamic-filter database find cisco verybadsite.cisco.com	
m=44098 acmevirus.cisco.com m=44098Found more than 2 matches,
enter a more specific string to find an exact match

Ping one of the domains that returns. When you ping this domain, it will cause these actions to occur:

  1. The host generates a DNS request for the domain in question.
  2. The DNS request traverses the ASA, either directly from the host machine or forwarded by an internal server.
  3. The DNS response traverses the ASA, either back to the host machine or to the internal server.
  4. The DNS-snoop function populates this IP-to-domain map in the DNS-snoop cache.
  5. The ASA compares the domain against the dyanmic-filter database and determines a match. The ASA blocks further inbound and outbound traffic from the IP associated with the malicious domain.
  6. The host machine sends an ICMP echo request that the ASA drops because it is destined to an IP associated with a malicious domain.

When the ASA drops the ICMP test traffic, it logs a system log (syslog) similar to this example:

Jul 08 2014 23:14:17: %ASA-4-338006: Dynamic Filter dropped blacklisted 
ICMP traffic from inside:192.168.1.100/23599 (203.0.113.99/23599) to
outside:198.151.100.72/0 (198.151.100.72/0), destination 198.151.100.72
resolved from dynamic list: acmevirus.cisco.com, threat-level: very-high,
category: Malware

The output of the command show dynamic-filter statistics indicates connections that are classified and potentially dropped. See this example:

ASA(config)# show dynamic-filter statistics
Enabled on interface inside
Total conns classified 163, ingress 163, egress 0
Total whitelist classified 0, ingress 0, egress 0
Total greylist classified 8, dropped 0, ingress 8, egress 0
Total blacklist classified 155, dropped 154, ingress 155, egress 0
Enabled on interface outside
Total conns classified 0, ingress 0, egress 0
Total whitelist classified 0, ingress 0, egress 0
Total greylist classified 0, dropped 0, ingress 0, egress 0
Total blacklist classified 0, dropped 0, ingress 0, egress 0
Enabled on interface management
Total conns classified 0, ingress 0, egress 0
Total whitelist classified 0, ingress 0, egress 0
Total greylist classified 0, dropped 0, ingress 0, egress 0
Total blacklist classified 0, dropped 0, ingress 0, egress 0

The classified counter only increases if a connection attempt is made to an IP address that is blacklisted, whitelisted, or greylisted. All other traffic does not cause the classified counter to increase. A low number for the classified list does not mean that the ASA did not evaluate new connection attempts against the BotNet traffic filter. This low number instead indicates that few source or destination IP addresses are blacklisted, whitelisted, or greylisted. Use the instructions in this document in order to confirm the feature functions properly.

If the test traffic is not dropped, check the configuration in order to ensure that it is configured to drop traffic with an appropriate threat level. See this sample configuration, which enables BotNet traffic filter globally on the ASA here:

dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
dynamic-filter drop blacklist
Updated: Jul 23, 2014
Document ID: 117928