How to stop traffic from Mirai botnets?

My SEIM (AlienVault) is detecting Mirai inbound activity.

Eg:

How can these be stopped at the UTM?

Eg can it get known botnet addresses from the Open Threat Exchange (OTX)?

Thanks, James.

  • Have you considered using Country Blocking?

    UTM - 9.707 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • James, I guess I'd ask why this traffic was allowed through the UTM in the first place instead of letting it be default dropped...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks - we do use country blocking for some countries, but it's a botnet so that won't work.

  • Thanks for replying. Not sure how to find that out. Nothing will be logged if it went through, correct? IPS is on. Firewall is on.

  • You must have a firewall rule that allows port 52555, James.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob. Port 52555 is the sending port that this device is using - it is being received by us on port 80. 

    No firewall rules for either (port 80 goes through WAF). 139.130.139.174 is our IP address.

  • I see that now, James.  So it's the hidden, automatic rule created by the configuration daemon.  If you don't want to use Amodin's suggestion, the only other solution is to create a blackhole DNAT for the offending IPs/subnets.  You're right that there's no option to use OTX.  Mirai attacks can come from 100,000 IPs, so I doubt that even OTX would be a solution.  What do you have behind WAF that might be vulnerable to a mirai malware infection?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA