We are running a trial of the ASA 8.2 BotNet Filter on our production ASA. In the alerts we keep getting notices of a Very High alert for 18.104.22.168. When we look it up we end up seeing that it resolves as hit-nxdomain.opendns.com. Our hunch is that this is traffic that would have been malicious, but that since we use OpenDNS to do some filtering it's returning its own address.
If you are using opendns and you have your bots dns-ing out to it for some bad sites that opendns doesn't know it will send back its own ip (and then show you its "block/don't know" page). When the ASA sees that ip it flags it for the url that the dns went out for and thus open dns will be flagged as malicious. There is not much hope if you use open dns because whenever a bot accesses a site that open dns doesn't know it will be flagged and blocked which will then block your open dns.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...