Video Screencast Help

Web Gateway Suspect Botnets

Created: 03 Jul 2013 | 2 comments

We are on version 5.1.0.39. I have some questions regarding seeing  botnet suspect within the web gateway. I have read and been advised that a suspect botnet does not apply the policy set to block a certain site until it becomes a active bot. We have never had an active bot but we have had several suspect bots. What we have been doing is just adding the ip/domain name to the web gateway black list. Most of the suspect bots have ips but unknown domain name. How can we find out what the domain name is associated with the ip? That way we have more of an idea as to whether it needs to be blocked? What do you do if you see an suspect botnet? Whats best action?

 

Operating Systems:

Comments 2 CommentsJump to latest comment

BenDC's picture

You can try a reverse lookup using a tool such as nslookup on the IP to see if there is an associated PTR record but not all IPs have a domain associated with them.

toby's picture

Independent from active or suspicious bot activity, there must a certain activity coming from your clients. I would advice in terms of protection also to focus on the internal machines that originated the traffic. Based on this you might be able to determine whether the client is infected.

 

------------------------------------------------------------------

Best regards!

toby

CISSP / STS / MCP