C2/Generic-A Originating from AFCd?

I also had this on all of my Appliances.

For me it seems that they are trying to resolve these domain names at all available IP's, like scanning for open resolvers and since the domain is in ATP there's an alert.

My2cents ...

my reply from Sophos Support :

"Thank you for contacting Sophos.

I've checked your details below. It looks as though DNS traffic to "app.anmorebcai.com" are being blocked by ATP. I've seen a few UTM cases like this over the past few days. Your internal network is not exploited and the ATP has done it's job in protecting you. 

We suggest blocking the source IPs to avoid the alert being triggered again.

Regards, "

Well I would guess that it is more likely to be the Chinese mafia/criminal organisations. Though by seeing the amount of different IP trying to hit my DNS it seems like a large botnet farm.

I did see the reply BSRIA got from Sophos Support, and advice about blocking the source IP's well 80,000 unique hits so far I would have just blocked the whole country but we have clients in China so that is not really an option, I don't have any interns at the moment either that I could put on to this thankless task of blocking each IP address.

Open to any suggestions on this one, though thank fully I did turn off email notification of these events after the first 2000 odd emails...

Hi, here the same situation.

But if the support is saying "DNS traffic TO "app.anmorebcai.com" are being blocked by ATP",  the the traffic is coming from my firewall or my internal networks...or not?

In my logs I see UDP traffic FROM app.anmorebcai.com:

2016:03:20-06:00:18 <utm> afcd[8471]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="<ext IP>" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="yebaa602496d.app.anmorencai.com" url="-" action="drop"


Max.

No, there's a DNS packet trying to resolve the domain, which is on a blacklist. And this packet is destined to your IP address.

If you have multiple IP addresses on you firewall you get multiple mails to each of the addresses.  And if you have a DNAT to an internal server, your internal server is also listed as destination. 

Because of the massive amount of traffic I was receiving, I had my ISP change my static address yesterday.

All traffic stopped, and still no activity today.

Quick fix, but would still be interested in the root cause, and possible trigger for them to even look at my IP to begin with.

I'm not hosting anything on my IP, and did quick virus, malware scan across all systems just in case - nada.

Do you have DNS service enabled to WAN? Perhaps you WAN IP is/was listed as a public dns server? 

No.  Internal DNS but only on internal LAN.

I did an external port scan, and nothing showed up outside of the ports for VPN (Which I've also temporarily closed just to be safe).

J

OK, I have the solution/explanation.

If you do a 

dig @yourWAN pqyoebe38318.app.anmorencai.com any

you can reproduce the alert. 

So this means the ATP listens in front of the firewall rules, regardless of the DNS service is running on the WAN or not.

Be sure that you aren't infected :)

Yes, did a full scan (mal-ware etc.) 2 days ago across all systems.  Nothing of importance.

I changed my static address about 24hrs ago now, If I was infected with something unknown, I would assume this traffic would have followed me to the new IP address by now.

Still monitoring.