This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alarm C2/Generic-A Blocked DNS Requests (Forwarded from SOPHOS)

Hi,

the SOPHOS UTM Firewall of one of our Clients sporadically reports an ATP-Threat (Botnet/command-and-control traffic) that has been blocked. The "infected" Hosts are always the two Domain Controllers / DNS Servers within the network.

User/Host Threat Name Destination Events Origin  
1 172.16.130.11 C2/Generic-A 185.220.100.244 1 AFCd

AV-Scan of the Servers has always been clean. Most likely not the DNS Servers itself are to be infected, but some client requesting melicious domains.

To get down to the infected client we activated Windows DNS Server analytical logs, so that we can track down the DNS Querys that get blocked, which has worked out so far. The following are the relevant log entries of one of the DNS Servers:

QUERY_RECEIVED: TCP=0; InterfaceIP=172.16.130.11; Source=172.16.130.1; RD=1; QNAME=tor-exit-5.zbau.f3netze.de.; QTYPE=1; XID=52214; Port=48389; Flags=256

RECURSE_QUERY_TIMEOUT: TCP=0; InterfaceIP=0.0.0.0; Destination=1.1.1.1; QNAME=tor-exit-5.zbau.f3netze.de.; QTYPE=1; QXID=29252; XID=55562; Port=0; Flags=256; RecursionScope=.; CacheScope=Default; AdditionalInfo = VirtualizationInstance: .;

Finding 1: Some Client (172.16.130.1) requests a Tor exit node.
Finding 2: Guess which client this IP 172.16.130.1 is? The SOPHOS UTM itself.

My guess was, that some Client in a different subnet (Guest Network / IoT Network) uses the SOPHOS XG as DNS Resolver, which forwards the DNS Requests to the internal Domain Servers. So we reconfigured the Network.

IoT Network now directly uses the Windows DNS Servers (Firewall Rule IoT -> DNS Server : DNS : allow added)
--> If the requests come from IoT Network we should be able to see the IP-Address of the client within the Windows DNS Server logs

Guest Network now uses 1.1.1.1 / 9.9.9.9 DNS Servers (Firewall Rule Guest -> 1.1.1.1/9.9.9.9 : DNS : allow added)
--> SOPHOS Should block the DNS Requests now directly, showing the "infected" client.

My Hope was, that we would be able now, to track down the actual client. And in the meantime we actually found an Employee who uses Tor-Browser on his iPhone (using this exact Exit Node). We found this, because for some reason he was using the internal WiFi... (As a consequence we activated a MAC-Filter on internal WIFi and instructed the CEO of the client to not use the internal Wifi for employee Phones)

We first thought that this would be the "End of the story" but today I got another ATP notification (see table above). And again its the Windows DNS Servers forwarding this DNS Request from SOPHOS UTM Firewall.

Does Someone have an Idea what we could do to get rid of these ATP Notifications and actually track down what is causing them? AFAIK the SOPHOS UTM should not be used as DNS Forwarder from any device anymore... But we can't be sure.

Here are some Questions that I don't have an answer to:

- Why does SOPHOS UTM forward these DNS Requests at all? Shouldn't they be dropped in the first place showing the actual client?
- Is it possible to log all DNS Requests within SOPHOS UTM Firewall, so that we could check these logs as well?

Thank you very much for your help!



This thread was automatically locked due to age.
  • I just found the "Log unique DNS requests" option within "Network Protection -> Firewall ->Advanced". 

    Even if the actual requested FQDN is not logged within the protocol, this should help us to find out some more details about these requests in future.

  • Hallo and welcome to the UTM Community!

    Should I move this thread to the XG Community?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi bob,


    Thank you for the replay. The Firewall this topic is regarding actually is a UTM Firewall. I updated my post.

  • We had the issue again today. After some digging I found this Topic where the esact same issue has been discussed:  ATP Alerts Tor Exit Nodes - Mail Protection: SMTP, POP3, Antispam and Antivirus - UTM Firewall - Sophos Community  

    The Reason for the ATP Alerts is pretty simple:

    SOPHOS SMTP Proxy is active.

    There are SMTP connections coming in from " tor-exit-5.zbau.f3netze.de"  

     2022:02:03-22:25:20 vpn-2 exim-in[752]: 2022-02-03 22:25:20 SMTP connection from tor-exit-16.zbau.f3netze.de [185.220.100.243]:12662 lost D=35s  

      SOPHOS UTM resolves the FQDN against our internal DNS Servers (sophos forwards DNS against Internal DNS) which forwards the request to external DNS Servers. This connection is then dropped by SOPHOS ATP Engine.

    I followed the advice from the other users and configured DNS as follows: Internal DNS --> SOPHOS UTM --> WAN and added a request route for the internal Domain Name to be forwareded to the internal DNS Servers.