I posted this a couple months ago on my blog, but alas my non-celeb status on the internet means I get few views. Still, I was found by some random internet folk who seemed to think it was pretty nifty. I wanted to start blogging here on Packet Pushers, and I thought updating and reposting this would be a good way to start since blacklisting came up recently on the show.
I was tinkering with my ASA the other day. I was interested in this neat Botnet Traffic Filter thingy they’d been clamoring about. Cisco frequently pitches how their products are made with magic and rainbows and cruelty-free unicorn meat, and I tend to be a bit skeptical. But a lot of people have been talking about it recently in my circles, and I really can’t help but tinker with things anyways. After some reading, Cisco words it like the Botnet Filter is pretty much useless without a proper license. However it is enabled and ready to use in all ASAs 8.2(x) and above… the license only activates the subscription service, the base functionality works just fine.
Using the dynamic-filter (AKA “Botnet Filter”) has a few advantages over ACLs. Managing huge blacklist ACLs is a pain. Shuns don’t survive reboot and are surprisingly hard on memory with respect to ACLs. The dynamic-filter seems to use about as much memory as an ACL of similar size, survives reboot, and is bidirectional on its interface. Perfect for blacklisting. There’s a whitelist function that will disallow adding lines you specify to the blacklist by mistake (very sexy when automating this sort of thing). There’s even a DNS snoop function so you can black/white list things by domain name. Pretty good stuff.
Below is the script I wrote to do all this tedious crap for me, because I’m far too awesome to spend my time . It’s a bash script which does most of the work and depends additionally on the expect scripting interpreter for operating on the ASA itself. Basically it just grabs the requested list, which in this case is a bunch of ACL entries, and formats it to use the dynamic-filter function instead. Upon subsequent executions it only pushes a list of diffs instead of clearing everything out and pushing the whole list again.
Sexy monospace goodness: asa-botlist_local.txt
A big problem with blacklists tends to be keeping them legit and keeping them current. A stale blacklist is worse than useless as the offending IPs may be reassigned to legitimate sites or users after some time. I’ve used the lists over at Emerging Threats for a while now. They’re very frequently updated, I’m cool with the sources they use, and they’re very responsive if I’ve had random questions or comments about the lists. The script can be easily modified for use with any published or local list… Just do some find/replace magic and modify the regex syntax that changes ACL entries into dynamic-filter formatted “address x.x.x.x m.a.s.k” lines. The Emerging Threats lists are pretty good but are not free from blocking subnets when blocking a few hosts would be sufficient, so some baselining would not be a poor idea.
Caveats:
- “lol plaintext!”. Yup. Passwords in plaintext. Till Cisco allows us to use public keys with ASA like we can with IOS now, it’s all manual logins for simple scripts. Needless to say, this shouldn’t go on a box other users have access to. Also, I have this using TFTP “for demonstration purposes only” because it’s simpler. Adding/replacing bits in simple code to suit your environment is easier than hunting down and removing bits from complicated code. I recommend adapting it to use SSH to log in.
- The script grabs a copy of the running-config and backs it up on the server it’s grabbing updates from. Personally I like to back up config every time I make a change, so this was an appropriate place for it. If you’re big on separation of duties and/or don’t want to add another chunk to your logrotate config, this might not be desirable.
- The box running this is OpenBSD, you’ll probably have to change your bash path on line 1.
- UUOC police: It’s my cat and I’ll do what I want with it.
I welcome criticism. I’ve been using this script with a lot of success for a while now. However most of my peers aren’t into tinkering as much as I am, so I have little peer review to work with.
Recent Comments