| Home Prev |  cOS Core 14.00.17 Administration Guide
|
Next |
|---|
Botnets consist of one or more remote hosts that can be controlled by a third party to launch malicious attacks. By using the IP reputation subsystem, cOS Core has the ability to recognize the IPs and networks from which botnet attacks originate and to drop the associated connection attempts. A single Botnet Protection configuration object exists as a preconfigured object in the cOS Core configuration. This object only has to be enabled to switch on this type of protection.
Botnet protection is different from other protection types where the attack is usually against a server. With botnets, individual clients as well as servers may be either the source or target of an attack. For this reason both the source and destination IPv4 address of new connections are examined when the feature is enabled.
Botnet protection is set up with the following steps:
Enable the single Botnet Protection object which is predefined in the configuration.
Optionally enable the ZoneDefense feature on the Botnet Protection object. This also requires an IP range to be specified so that an IP must be within this range for ZoneDefense to trigger (the range could be set to all-nets).
If the ZoneDefense option is enabled, ensure that there is at least one ZoneDefense Switch object defined. cOS Core will send messages to all configured switches when an IP triggers botnet protection so the IP is blocked at the switches when it is the source address.
When enabled, the botnet protection subsystem functions as follows:
When a connection is initiated on any interface, both the source and destination IPs are looked up separately in the blacklist. If either is blacklisted, the connection is dropped.
If not blacklisted, the source and destination IPs are looked up in the IP reputation database. If either of the IPs is categorized as being a botnet, the connection is silently dropped and that IP added to the blacklist so that any future connections to or from that IP will be dropped.
It is possible that both the source and destination IPs of the connection are categorized as a botnet, in which case each will get its own entry in the blacklist.
If ZoneDefense is enabled for botnet protection, a message for a triggering IP is also sent to all configured ZoneDefense switches to drop the IP, provided that it is within the network range specified.
The IP reputation lookup mechanism is discussed further in Section 7.2, IP Reputation. ZoneDefense is discussed further in Section 7.11, ZoneDefense.
Generated Log Messages
The Botnet Protection object generates three log event messages when it triggers. The first message is when the overall feature triggers:BLACKLIST: prio=2 id=04600006 rev=4 event=host_blacklisted reason="Botnet Protection" proto=all srcnet=0.0.0.0/0 dstnet=192.168.114.1 port=allThe second message is when the source address is blacklisted.
BLACKLIST: prio=2 id=04600006 rev=4 event=host_blacklisted: reason="Botnet Protection" proto=all srcnet=192.168.114.1 dstnet=0.0.0.0/0 port=allThe third message is when the destination address is blacklisted:
BLACKLIST: prio=2 id=04600010 rev=1 event=botnet_src_detected action=blacklist rule=BotnetProtection recvif=VMnet3 srcip=192.168.114.1 destip=192.168.114.100 ipproto=ICMP ipdatalen=40 icmptype=ECHO_REQUEST echoid=1 echoseq=74 ipaddr=192.168.114.1 reputation=3
Example 7.3. Enabling Botnets Protection
This example enables Botnet protection with ZoneDefense. IPs will only be blocked by ZoneDefense if they are within the network 203.0.113.0/24.
It is assumed that at least one ZoneDefense Switch object exists to define which switches can receive ZoneDefense messages from cOS Core.
Command-Line Interface
Device:/> set BotnetProtection EnableBotnetBlacklist=Yes
ZDEnabled=Yes
ZDNetwork=203.0.113.0/24InControl
Follow similar steps to those used for the Web Interface below.
Web Interface
