Advanced Threat Protection C2/Generic-A

Hello,

I'm getting this alert from the UTM 9 firewall:

Advanced Threat Protection

 

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

 

Details about the alert:

 

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2019-04-10 07:49:07

Traffic blocked: yes

 

Source IP address or host: 63.76.254.157

 

Here is the ATP Entry:

2019/04/aptp-2019-04-09.log.gz:2019:04:09-23:39:29 utmho ulogd[1022]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth4" threatname="C2/Generic-A" srcmac="00:10:36:00:59:09" dstmac="00:1a:8c:58:b0:74" srcip="63.76.254.157" dstip="93.174.93.73" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="5060" dstport="59643" tcpflags="ACK RST"        

 

I'm not sure what to make of it as neither IP address is a private address on the network and it was detected in eth4 which is the ISP.

The other information that is making me look at this more seriously is the dstip 93.174.93.73 has been banging against the firewall for about 30 days with no success.

 

I'm hoping someone can help me unravel what/why is going on.

  • I am seeing the same thing with a source of our ISP block of address to destination 93.174.93.73.    Anyone have any information?

  • In reply to Donna Hoffman:

    I'm seeing the same as well.  Our external wan address as the source and 93.174.93.73 as the destination

  • In reply to PeterWeston:

    Hi Peter and Donna and welcome to the UTM Community!

    According to https://centralops.net/co/DomainDossier.aspx, 93.174.93.73 reverse resolves to an FQDN on the packet.tel domain.  You can email abuse@ipvolume.net to ask packet.tel to stop scanning your public subnets.

    Cheers - Bob

  • In reply to BAlfson:

    Hey Bob, 

    we have the same ATP messages from the same IP. Seems like packet.tel is doing a massive SCTP scanning. 

    What I do not get, and hopefully you can help me to understand,... why do I get an ATP message from the firewall with my ISP Router and my Network- and Broadcast address as source? 

    How I understand ATP is, that it blocks if a local machine tries to connect to a malicous IP. 

    Here it seems like the questionable IP is doing a SCTP scan...from the outside... Why does the firewall react like it does? 

    Maybe it is obvious, but right now I am a bit lost.

    thx

  • In reply to stu:

    Hallo Stu - your first post here - welcome to the UTM Community!

    Packet.tel is not a threat.  They scan the internet to provide statistics about how many ports are open - that's all I know about them.

    The firewall responds to the scan, but ATP blocks its response because, for a reason I ignore, this packet.tel IP is on the list of malicious actors.  See Rule #2.1 in Rulz.

    Cheers - Bob

  • In reply to BAlfson:

    Hello,

    i've got the same alerts on a customer's UTM.

    I've send an email to abuse@ipvolume.net and let you know if they exclude the ip range.

     

    Regards,
    Seppe