Sophos UTM complaining about public DNS servers [CRIT-861]

We've had the UTM in place for a long time and today it is freaking out/notifying us constantly about our private and forwarding servers. 
Nothing has been changed and in the past, it was always the internal/private DNS servers whenever a client PC would get a gnarly PUP. 

But today, the public realm is now a threat. 
Details about the alert:
Threat name....: C2/Generic-A
Time...........: 2019-07-10 15:18:11
Traffic blocked: yes

Source IP address or host:
System Uptime      : 38 days 6 hours 28 minutes
System Load        : 0.62
System Version     : Sophos UTM 9.603-1

UTM has listed the ISP's DNS, Google, and Level3 as the source IP of the C2 threat. 
Yes, :53 is closed inbound from the outside world, internal outbound only. 

What is going on?

  • Hi  

    Please read this KBA for C2/Generic detection. Further, this looks to be a DNS Amplification attack. Refer to this link: Hope this helps.

  • In reply to Jaydeep:

    I need details Jaydeep... 
    Why is Sophos freaking out over public DNS servers?

    Some of the ISP's DNS servers in the alert aren't even being used on our recursive/internal forwarding DNS system. 

    The problem started on July 10th is continuing into today [July 11th] and we have not experienced any issues for the past year up until July 10th.  

    Port 53 is closed inbound on the firewall, portscans confirm it as such, no external unsolicited traffic. 

    I have a few computers I'm checking for malware, but the alert to reported IP address just doesn't match and doesn't make any sense. 

  • In reply to Coker Tire:


    If you want more details or need an RCA and you're using a Licensed Product, please raise a case with Sophos Support. However, please check the packetfilter.log for the time shown in alert messages. It would give you an idea about the packets coming to the UTM from these DNS servers. The good thing is, these packets are dropped by UTM. 

  • In reply to Coker Tire:

    Hi and welcome to the UTM Community!

    I think Jaydeep is correct that this is a DoS attack by someone sending name resolution requests to where you public IP is spoofed as the sender.  If you would post the line from the Intrusion Prevention log, that might be interesting.

    Cheers - Bob