50-4
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 50 Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
For the DNS host cache, after an entry times out, the adaptive security appliance periodically requests a
refresh for the entry.
For the DNS host cache, the maximum number of blacklist entries and whitelist entries is 1000 each.
Table 50-1 lists the maximum number of entries in the DNS reverse lookup cache per model.
How the Botnet Traffic Filter Works
Figure 50-1 shows how the Botnet Traffic Filter works with the dynamic database plus DNS inspection
with Botnet Traffic Filter snooping.
Figure 50-1 How the Botnet Traffic Filter Works with the Dynamic Database
Table 50-1 DNS Reverse Lookup Cache Entries per Model
ASA Model Maximum Entries
ASA 5505 5000
ASA 5510 10,000
ASA 5520 20,000
ASA 5540 40,000
ASA 5550 40,000
ASA 5580 100,000
Security Appliance
DNS
Reverse
Lookup Cache
Infected
Host
Malware Home Site
209.165.201.3
Syslog Server
Dynamic
Database
DNS Server
DNS Snoop
1
DNS Request:
bad.example.com
3
Connection to:
209.165.201.3
2
DNS Reply:
209.165.201.3
Internet
Botnet Traffic
Filter
3b. Send
Syslog Message/Drop Traffic
1a. Match?
3a. Match?
2a. Add
248631