Advisory: Sophos Endpoint - "Your connection isn't private" We're aware of a certificate issue and are actively working to resolve. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alerts Tor Exit Nodes

Hi All,

I wonder if anyone can help me clarify the following, we start receiving standard ATP alerts for the past month as per bellow, usually im able to investigate this alerts and they either are DNS recursive queries performed by out forwarders on Spam domain emails  received and rejected by the SMTP proxy, or Web sessions hijack attempts trying to redirect traffic to malicious domains, but recently i been baffled by a a recurrent alert as bellow where im not able to make much sense, i parsed the logs for our SMTP proxy that shows traffic to a Tor node from what i can only assume being SMTP connections rejected by the UTM  does anyone have any idea on this ?

2021:10:27-12:50:55 srvutm-1 exim-in[8916]: 2021-10-27 12:50:55 SMTP connection from [185.220.100.254]:31034 (TCP/IP connection count = 4)
2021:10:27-12:50:57 srvutm-1 exim-in[23862]: 2021-10-27 12:50:57 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:31034 SSL_accept: TCP connection closed by peer
2021:10:27-12:50:57 srvutm-1 exim-in[8916]: 2021-10-27 12:50:57 SMTP connection from [185.220.100.254]:32560 (TCP/IP connection count = 4)
2021:10:27-12:51:01 srvutm-1 exim-in[23909]: 2021-10-27 12:51:01 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:32560 SSL_accept: TCP connection closed by peer
2021:10:27-17:12:32 srvutm-1 exim-in[8916]: 2021-10-27 17:12:32 SMTP connection from [185.220.100.254]:14154 (TCP/IP connection count = 2)
2021:10:27-17:12:33 srvutm-1 exim-in[5631]: 2021-10-27 17:12:33 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:14154 SSL_accept: TCP connection closed by peer
2021:10:29-03:34:26 srvutm-1 exim-in[6731]: 2021-10-29 03:34:26 SMTP connection from [185.220.100.254]:22392 (TCP/IP connection count = 1)
2021:10:29-03:34:28 srvutm-1 exim-in[18207]: 2021-10-29 03:34:28 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:22392 SSL_accept: TCP connection closed by peer

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Advanced Threat ProtectionDetails
Total Events: 2
User/Host Threat Name Destination Events Origin
1 192.168.7.250 C2/Generic-A 185.220.100.254 
2 192.168.7.250 C2/Generic-A 185.220.100.254 



This thread was automatically locked due to age.
Parents
  • So, how did you guys handle this?

    Did you guys just block the traffic to that subnet?

    As I wrote a few days ago I'm sure it is nothing in our network but since we still receive ATP alerts from time to time, I just want to make sure what you guys did.

    br

Reply
  • So, how did you guys handle this?

    Did you guys just block the traffic to that subnet?

    As I wrote a few days ago I'm sure it is nothing in our network but since we still receive ATP alerts from time to time, I just want to make sure what you guys did.

    br

Children
  • Blocking traffic to Tor Nodes is almost impossible considering the number of Nodes \ IP subnets available and the need of keeping an up to date list of Existing nodes.

    I had a look through the forum and other articles to try and find an way of doing this but so far it seems not possible, if anyone knows an effective way please share  

  • It's not all tors doing this, just some bad guy at a few tors.  You can block this traffic by creating a blackhole DNAT:

              DNAT : {group of offending subnets} -> Any -> {Group of external IPs} : to {blackhole}

    See #2 in Rulz (last updated 2021-02-16).  For example f3netze.de + for-privacy.net is 185.220.100.0/23.  Instead of the "Any" service you might be able to just use SMTP, but I suspect any traffic from a tor will be blocked and trigger an ATP alert.

    Then again, if this is the SMTP Proxy trying to resolve an FQDN related to emails from other sources, it would be necessary to block or blacklist those sender domains.

    Was anyone successful?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Balfson i already had a rule to drop any traffic from this range, the challenge is to have an up to date list of Tor Nodes object that would dynamically update, maybe an idea for Sophos perhaps ?

    This recent activity could be or not related to the bellow also, but it is worth a read 

    us-cert.cisa.gov/.../aa21-321a

  • Thank you! 

    In that case I have to create a network definition for every subnet that I want to block and put them all into one network group, correct?

  • Hi,

    update from my side: I created the blackhole DNAT, but we received ATP alerts last night again. 

    I was expecting that any traffic would get blocked eventhough these are just DNS requests..

    br