This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection C2/Generic-A

Hello,

I'm getting this alert from the UTM 9 firewall:

Advanced Threat Protection

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2019-04-10 07:49:07

Traffic blocked: yes

Source IP address or host: 63.76.254.157

Here is the ATP Entry:

2019/04/aptp-2019-04-09.log.gz:2019:04:09-23:39:29 utmho ulogd[1022]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth4" threatname="C2/Generic-A" srcmac="00:10:36:00:59:09" dstmac="00:1a:8c:58:b0:74" srcip="63.76.254.157" dstip="93.174.93.73" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="5060" dstport="59643" tcpflags="ACK RST"

I'm not sure what to make of it as neither IP address is a private address on the network and it was detected in eth4 which is the ISP.

The other information that is making me look at this more seriously is the dstip 93.174.93.73 has been banging against the firewall for about 30 days with no success.

I'm hoping someone can help me unravel what/why is going on.

This thread was automatically locked due to age.

Parents

0 Donna Hoffman over 6 years ago

I am seeing the same thing with a source of our ISP block of address to destination 93.174.93.73. Anyone have any information?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Donna Hoffman over 6 years ago

I am seeing the same thing with a source of our ISP block of address to destination 93.174.93.73. Anyone have any information?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 PeterWeston over 6 years ago in reply to Donna Hoffman

I'm seeing the same as well. Our external wan address as the source and 93.174.93.73 as the destination
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to PeterWeston

Hi Peter and Donna and welcome to the UTM Community!

According to https://centralops.net/co/DomainDossier.aspx, 93.174.93.73 reverse resolves to an FQDN on the packet.tel domain. You can email abuse@ipvolume.net to ask packet.tel to stop scanning your public subnets.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 stu over 6 years ago in reply to BAlfson

Hey Bob,

we have the same ATP messages from the same IP. Seems like packet.tel is doing a massive SCTP scanning.

What I do not get, and hopefully you can help me to understand,... why do I get an ATP message from the firewall with my ISP Router and my Network- and Broadcast address as source?

How I understand ATP is, that it blocks if a local machine tries to connect to a malicous IP.

Here it seems like the questionable IP is doing a SCTP scan...from the outside... Why does the firewall react like it does?

Maybe it is obvious, but right now I am a bit lost.

thx
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to stu

Hallo Stu - your first post here - welcome to the UTM Community!

Packet.tel is not a threat. They scan the internet to provide statistics about how many ports are open - that's all I know about them.

The firewall responds to the scan, but ATP blocks its response because, for a reason I ignore, this packet.tel IP is on the list of malicious actors. See Rule #2.1 in Rulz.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Seppe over 6 years ago in reply to BAlfson

Hello,

i've got the same alerts on a customer's UTM.

I've send an email to abuse@ipvolume.net and let you know if they exclude the ip range.

Regards,
Seppe
Cancel
Vote Up 0 Vote Down

Cancel