Is your LAN infected by ZeroAccess Botnet
and you don’t know where, or maybe your IP address is in some blacklist like
CBL or Spamhaus ?
This was the case in the network of one of my
clients. They appeared in CBL blacklist for infection by ZeroAccess. CBL is linked to Spamhaus and they couldn't send email.
ZeroAccess Botnet communicates over
P2P using UDP so the most fast solution to find out which PC is infected is
deny in the firewall all the outbound UDP traffic (except DNS server and NTP
server) in the inside interface.
Something like this in Cisco ASA:
access-list ACL_INSIDE permit udp
host dns_server any eq domain
access-list ACL_INSIDE permit udp
host time_server any eq ntp
access-list ACL_INSIDE deny udp any
any
access-list ACL_INSIDE permit ip any any
access-group ACL_INSIDE in interface inside
Define the level of logging to catch the zombi:
logging buffered errors
And we look into the "show logging" to find out who is being blocked by the ACL.
Better if you combine this with the
SMTP outbound filter and a fail-safe security police, that’s a default deny
stance (specify
only what you allow and prohibit everything else).
No comments:
Post a Comment