Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Junior
Explorer

Botnet Activity Detection

Hello dear, The checkpoint firewall detected botnet activity on one of our DNS servers, and another on a computer network. To my knowledge the firewall is supposed to block such activity? How to get rid of this infection, I launched the ESET ENDPOINT Security antivirus but nothing found.

allerte.png

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Usually, a single instance of this doesn't necessarily mean a machine is infected.
It may be an element on a web page the end user visited tried to load something from a domain we've flagged as a C&C.
0 Kudos
Junior
Explorer

 

Hello phoneBoy;

Ok, but i specify that the infected machine is a DNS server.

What more can we do? 

0 Kudos
_Val_
Admin
Admin

Keep an eye on it. It is most likely that DNS server was redirecting some other PC DNS request. In any case, it should be blocked by Anti-Bot protection.

0 Kudos
PhoneBoy
Admin
Admin

There is a feature in Anti-Bot called DNS Trap that will resolve these malicious domains to a bogus IP address.
When the user tries to communicate with this IP address, the gateway will catch it and block the connection.
It will also allow you to identify which host made the connection.
See more here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
This feature is not available on locally managed SMB appliance (700/1400).
0 Kudos
LuisSP
Collaborator

Had a similar case, FW notified a C&C threat from the internal DNS server, which made a request for resolution of a risky site, but there were no more records about it. We enabled the records in the DNS server, and in this way we were able to find the host that made such requests.

I should mention that the internal DNS never resolved the ip of the malicious site, so the client host did not try to connect to the risky site.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events