This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to stop traffic from Mirai botnets?

jlbrown over 3 years ago

My SEIM (AlienVault) is detecting Mirai inbound activity.

Eg:

How can these be stopped at the UTM?

Eg can it get known botnet addresses from the Open Threat Exchange (OTX)?

Thanks, James.

This thread was automatically locked due to age.

Parents

BAlfson over 3 years ago

James, I guess I'd ask why this traffic was allowed through the UTM in the first place instead of letting it be default dropped...

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
jlbrown over 3 years ago in reply to BAlfson

BAlfson Thanks for replying. Not sure how to find that out. Nothing will be logged if it went through, correct? IPS is on. Firewall is on.
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 3 years ago in reply to jlbrown

You must have a firewall rule that allows port 52555, James.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
jlbrown over 3 years ago in reply to BAlfson

Thanks Bob. Port 52555 is the sending port that this device is using - it is being received by us on port 80.

No firewall rules for either (port 80 goes through WAF). 139.130.139.174 is our IP address.
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 3 years ago in reply to jlbrown

I see that now, James. So it's the hidden, automatic rule created by the configuration daemon. If you don't want to use Amodin's suggestion, the only other solution is to create a blackhole DNAT for the offending IPs/subnets. You're right that there's no option to use OTX. Mirai attacks can come from 100,000 IPs, so I doubt that even OTX would be a solution. What do you have behind WAF that might be vulnerable to a mirai malware infection?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

BAlfson over 3 years ago in reply to jlbrown

I see that now, James. So it's the hidden, automatic rule created by the configuration daemon. If you don't want to use Amodin's suggestion, the only other solution is to create a blackhole DNAT for the offending IPs/subnets. You're right that there's no option to use OTX. Mirai attacks can come from 100,000 IPs, so I doubt that even OTX would be a solution. What do you have behind WAF that might be vulnerable to a mirai malware infection?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data