This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM complaining about public DNS servers [CRIT-861]

We've had the UTM in place for a long time and today it is freaking out/notifying us constantly about our private and forwarding servers.
Nothing has been changed and in the past, it was always the internal/private DNS servers whenever a client PC would get a gnarly PUP.

But today, the public realm is now a threat.
Details about the alert:
Threat name....: C2/Generic-A
Time...........: 2019-07-10 15:18:11
Traffic blocked: yes

Source IP address or host: 8.8.8.8
--
System Uptime      : 38 days 6 hours 28 minutes
System Load        : 0.62
System Version     : Sophos UTM 9.603-1

UTM has listed the ISP's DNS, Google, and Level3 as the source IP of the C2 threat.
Yes, :53 is closed inbound from the outside world, internal outbound only.

What is going on?

This thread was automatically locked due to age.

Parents

0 Jaydeep over 6 years ago

Hi Coker Tire

Please read this KBA for C2/Generic detection. Further, this looks to be a DNS Amplification attack. Refer to this link: https://whatis.techtarget.com/definition/DNS-amplification-attack Hope this helps.
Cancel
Vote Up 0 Vote Down

Cancel
0 Coker Tire over 6 years ago in reply to Jaydeep

I need details Jaydeep...
Why is Sophos freaking out over public DNS servers?

Some of the ISP's DNS servers in the alert aren't even being used on our recursive/internal forwarding DNS system.

The problem started on July 10th is continuing into today [July 11th] and we have not experienced any issues for the past year up until July 10th.

Port 53 is closed inbound on the firewall, portscans confirm it as such, no external unsolicited traffic.

I have a few computers I'm checking for malware, but the alert to reported IP address just doesn't match and doesn't make any sense.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaydeep over 6 years ago in reply to Coker Tire

Hi Coker Tire

If you want more details or need an RCA and you're using a Licensed Product, please raise a case with Sophos Support. However, please check the packetfilter.log for the time shown in alert messages. It would give you an idea about the packets coming to the UTM from these DNS servers. The good thing is, these packets are dropped by UTM.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jaydeep over 6 years ago in reply to Coker Tire

Hi Coker Tire

If you want more details or need an RCA and you're using a Licensed Product, please raise a case with Sophos Support. However, please check the packetfilter.log for the time shown in alert messages. It would give you an idea about the packets coming to the UTM from these DNS servers. The good thing is, these packets are dropped by UTM.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data