Thread Info
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 2781 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to stop traffic from Mirai botnets?

jlbrown

My SEIM (AlienVault) is detecting Mirai inbound activity.

Eg:

How can these be stopped at the UTM?

Eg can it get known botnet addresses from the Open Threat Exchange (OTX)?

Thanks, James.



This thread was automatically locked due to age.
Parents Reply Children
  • in reply to jlbrown

    I see that now, James.  So it's the hidden, automatic rule created by the configuration daemon.  If you don't want to use Amodin's suggestion, the only other solution is to create a blackhole DNAT for the offending IPs/subnets.  You're right that there's no option to use OTX.  Mirai attacks can come from 100,000 IPs, so I doubt that even OTX would be a solution.  What do you have behind WAF that might be vulnerable to a mirai malware infection?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML