cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Ivory

Botnet Activity Detection

Hello dear, The checkpoint firewall detected botnet activity on one of our DNS servers, and another on a computer network. To my knowledge the firewall is supposed to block such activity? How to get rid of this infection, I launched the ESET ENDPOINT Security antivirus but nothing found.

allerte.png

 

0 Kudos
5 Replies
Highlighted
Admin
Admin

Re: botnet activity detection

Usually, a single instance of this doesn't necessarily mean a machine is infected.
It may be an element on a web page the end user visited tried to load something from a domain we've flagged as a C&C.
0 Kudos
Highlighted
Ivory

Re: botnet activity detection

 

Hello phoneBoy;

Ok, but i specify that the infected machine is a DNS server.

What more can we do? 

0 Kudos
Highlighted

Re: botnet activity detection

Keep an eye on it. It is most likely that DNS server was redirecting some other PC DNS request. In any case, it should be blocked by Anti-Bot protection.

0 Kudos
Highlighted
Admin
Admin

Re: botnet activity detection

There is a feature in Anti-Bot called DNS Trap that will resolve these malicious domains to a bogus IP address.
When the user tries to communicate with this IP address, the gateway will catch it and block the connection.
It will also allow you to identify which host made the connection.
See more here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
This feature is not available on locally managed SMB appliance (700/1400).
0 Kudos
Highlighted
Nickel

Re: botnet activity detection

Had a similar case, FW notified a C&C threat from the internal DNS server, which made a request for resolution of a risky site, but there were no more records about it. We enabled the records in the DNS server, and in this way we were able to find the host that made such requests.

I should mention that the internal DNS never resolved the ip of the malicious site, so the client host did not try to connect to the risky site.
0 Kudos