AnsweredAssumed Answered

DNS trap bogus IP

Question asked by Benjamin Hofstetter on Dec 6, 2017
Latest reply on May 2, 2018 by Evren Buyer

Hi All,


I saw a Anti-Bot log message 


Destination Port: 53
IP Protocol: 17
Protection Name: Operator.Trojan-banker.Win32.Zeus.w.eb
Malware Family: Zeus
Description: DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information.
Confidence Level: High
Severity: High
Malware Action: DNS query for a C&C site
Protection Type: DNS Reputation
Destination DNS Hostname:
Vendor List: Check Point ThreatCloud

Blade: Anti-Bot
Product Family: Threat


The source of this DNS Request is an internal DNS Server. According to  sk74060 the default value for DNS trap IP is 


To find the infected host i have to check the logs for access to Is this correct? I see three access requests to Logs like this below (i removed the IPs)


Service ID: http
Source: <removed>
Source Port: 52778
Destination Port: 80
IP Protocol: 6
Product Family: Access
Description: http Traffic Accepted from <removed> to



The <removed> IP address is now the infected client? Check Point is not logging this "bogus IP" ( in any special way?


Is it a good idea to create a special Access Rule to Drop the Access to and Log it with an Alert?


Btw. I am using R80.10