IPS started logging the following: "PROTOCOL-DNS domain not fount containing random-looking host name - possible DGA detected. It also says that the packet has not been dropped. I have checked our IPS rule, and it was set to drop. So I changed it to terminate, to see if that would make any difference in the log. I am continuing to get the same message.
If I log to the firewall, it shows that IPS is blocking the attempts.
The source IP address of this attack is the IP of our ISP's DNS server. Would that be an accurate IP address in the message? I have notified our provider of the issue to see if they can be of assistance. As I am not that familiar with these devices, is there anything else I can do, to get to the bottom of this? I am getting hit with these messages very frequently since late last night.
Thank you.
Rita
This thread was automatically locked due to age.
