Advanced Threat Protection - Lock.bz

it's a known issue, but not an error from UTM.

Check these threats for explanation why we see these traffic :

https://community.sophos.com/products/unified-threat-management/f/general-discussion/83389/atp-generating-alerts-for-ip-addresses-outside-of-network

there are different workarounds removing this traffic before it reach the internal servers.

i use a black hole DNAT rule recommended by BAlfson.

Hi Dirkkotte,

Thanks for your response. I had looked at this thread previously, and tried to create a black hole DNAT rule, but I'm not sure if I did this correctly. Would you be able to provide me with directions on how to achieve a working DNAT rule to stop this traffic?

Kind regards,

Richard

my DNAT Rule

remember ... this rule must be placed before other rules matching this traffic.

Hi dirkkotte,

Thanks for showing me your DNAT rule. I had re-created my DNAT rule in the same format as your's, but unfortunately I am still receiving Advanced Threat Protection Alerts for DNS queries for the lock.bz domain (please see attached screenshot). The two internal hosts showing in the below log, are two internal DNS servers - 10.0.1.30 and 10.0.1.31. I'm on the verge of adding both of these hosts to the exceptions list... but I really don't want to go down that route.

Regards,

Richard

ok, thats not the known problem with incomming packets only.

seems some system asking your DNS servers for this domain.

you should activate DNS logging and check which system tries to find this domain.

possible you have endpoint or mail solutions checking this domain, possible you have malware.

If your UTM point to internal DNS servers this is an option also.

Hi Andrew,

I never did find a solution to this problem unfortunately, it's something which continues to annoy me on a daily basis. My symptoms sound all too similar to yours, very interesting to hear from somebody else with this very same problem. I've diagnosed this problem as far as you have, with no success. All troubleshooting of DNS point straight back to the UTM as being the source... rather odd that this only started to occur after performing an update to the UTM.

Regards,

Richard

Richard,

Thanks for the response.  This really is one troublesome issue, and I am very seriously worried about the UTM being potentially compromised.  I currently have every feature I use disabled (web filter, endpoint, smtp, ipsec/ssl/pptp vpns, wireless protection, webserver protection) and still this persists.  I have created the suggested DNAT blackhole, and have multiple firewall rules blocking traffic both to and from the suspect domain, AND explicitly rejecting all traffic on port 53 to my WAN.  I cant find any rhyme or reason as to what this is and why it's happening.  Unfortunately wiping it is a non-trivial task as I rely on it very heavily as you see.  Perhaps I should make a new forum post entirely to put it at the top of the list and get some eyes on it?  I really need a solution for this.

Thanks for your time!

Hi Andrew,

It is a very frustrating problem which nobody here appears to have a solution to unfortunately. I've also created the blackhole DNAT rule, but from reading some of the responses to this thread, creating the blackhole DNAT rule will not resolve this issue as the issue I'm having is different from the issue in which other people have experienced with the lock.bz / lock.biz DNS traffic. I believe that this is a software bug, as I only started having this trouble after applying one of the UTM updates. Nothing else has changed network wise, and after physically removing the uplink from the UTM to the switch which serves the clients, and still receive constant ATP alerts... I can safely say that there are no compromised clients on my network.

Hopefully... just hopefully, somebody here will believe me when I say that I have no compromised clients on my network... and the UTM is doing something which it shouldn't be doing.

PS. Were you using Google DNS pointers? After reading your comment in regards to DNS forwarding, I had a look at my DNS server and noticed that I had set it to forward directly to 8.8.8.8 / 8.8.4.4, rather than the UTM itself. After removing these pointers and adding a single pointer to the UTM, I haven't received a single alert for lock.bz / lock.biz... rather odd?

Regards,

Richard

Richard,

That is exactly what I discovered during my initial foray into this last week.  After I set my internal DNS server to point at the UTM, the ATP alerts stopped.  However, I didn't think it could be that easy, so I looked at the DNS logs, and found the constant requests still being rejected.  I recommend that you check your dns live log on the UTM to make sure the requests aren't still coming in - our symptoms seem to be 100% identical so I believe you will find the same thing I did.  You are correct, I have Google DNS in my list but I have my ISP forwarders as well.  My forwarder list shows ISP1, ISP2, Google 1, Google 2.  

I find it odd that I am only receiving the rejections from both Googles and loopback...is the request to my ISP forwarders not being rejected?  Is it not even going out?  The DNS logs are showing minimal activity other than the rejections.  I disable root hints on my DNS server to make sure dns is being pushed to the utm.  Then I cleared the server cache and did a flushdns on the client machine.  I then proceeded to click on random webpage shortcuts and news links - near 2 dozen clicks total.  I showed 10 rejections for lock.bz, and a single! request other than that.  All web sites loaded just fine, quite quickly I might add, so either there's some magic happening, or the log just doesn't show everything.

Also, to clarify, this indeed persists for me when disconnecting the lan uplink as you did.

Richard,

Here's an update.  I downloaded the newest iso and installed a new UTM for testing.  If I import my configuration, the DNS queries start immediately.  However if I don't import, and just do a basic setup by hand with only the necessary items configured (including dns proxy) there are no queries.  This proves again that it is not an infected machine on my network and shows that it's coming from the Sophos.  Unfortunately that still doesn't explain the who/what/how questions.  This weekend I am going to fully configure the test UTM by hand and monitor all connections during the process to see if anything pops up at each step.  I will let you know what I find.

Thanks,

Andrew

Hi Andrew,

Thanks for the update, that sounds very interesting. It is unfortunate that the rest of the community here have stopped providing input to this topic. It's quite clearly an issue, but would appear to be getting ignored.

After changing the forwarders on my Internal DNS server (Windows DNS), to point directly to the UTM instead of the Google Public DNS servers, I did notice that the ATP alerts had stopped. I did check the DNS log after reading your post, but nothing showed up for the lock.bz / lock.biz domains. I did although experience some internal name resolution problems, so I decided to revert my DNS configuration back. Again, the alerts started flooding back in... At this point, I decided to remove the two Google Public DNS entries and use the Virgin Media DNS servers instead. Since making this change, I have not yet received any ATP alerts nor has there been any DNS log entries for lock.bz / lock.biz. I'm wondering if something strange is happening with Google's public DNS servers?

Just found this - https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/42140/advanced-threat-protection-google-dns-8-8-8-8-false-positive/148728?pi2132219849=2. Surely it wouldn't be a coincidence that everything seems to always point to 8.8.8.8 / 8.8.4.4...

Cheers,

Richard

Hi Andrew,

Thanks for the update, that sounds very interesting. It is unfortunate that the rest of the community here have stopped providing input to this topic. It's quite clearly an issue, but would appear to be getting ignored.

After changing the forwarders on my Internal DNS server (Windows DNS), to point directly to the UTM instead of the Google Public DNS servers, I did notice that the ATP alerts had stopped. I did check the DNS log after reading your post, but nothing showed up for the lock.bz / lock.biz domains. I did although experience some internal name resolution problems, so I decided to revert my DNS configuration back. Again, the alerts started flooding back in... At this point, I decided to remove the two Google Public DNS entries and use the Virgin Media DNS servers instead. Since making this change, I have not yet received any ATP alerts nor has there been any DNS log entries for lock.bz / lock.biz. I'm wondering if something strange is happening with Google's public DNS servers?

Just found this - https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/42140/advanced-threat-protection-google-dns-8-8-8-8-false-positive/148728?pi2132219849=2. Surely it wouldn't be a coincidence that everything seems to always point to 8.8.8.8 / 8.8.4.4...

Cheers,

Richard

Guys,

If you've configured DNS & DHCP as in DNS best practice, you can block DNS queries to lock.bz using the trick in Block a TLD.

Cheers - Bob