Technical Tip: Blocking local network communicating to Botnet IPs and Botnet Domains

If a LAN PC or IOT device is compromised, it will generate traffic or try to communicate with Botnet IPs and Botnet domains to take instructions or to perform certain tasks.

To identify compromised devices and to block any kind of malicious activity from these Bots, apply the below security measures in the FortiGate.

Once the device is registered with Advanced Malware Protection and FortiGuard IPS Service, FortiGate will get the Botnet domains, IPs, and Malicious URLs Database from the FortiGuard updates.

To check the latest database version information from the GUI, go to System -> FortiGuard.

To check the specific details from CLI, use the below commands:

ghost-kvm35 # dia autoupdate versions | grep -A5 "Botnet"
Botnet Domain Database
---------
Version: 3.00969 signed <----- Current Botnet Domain Database version.
Contract Expiry Date: Thu Apr 3 2025 <----- Contract info.
Last Updated using manual update on Tue Oct 1 04:39:34 2024
Last Update Attempt: Tue Oct 1 06:19:03 2024

ghost-kvm35 # dia autoupdate versions | grep -A5 "Internet-service Full Database"
Internet-service Full Database
---------
Version: 7.03876 signed <----- Current Internet-service Full Database version.
Contract Expiry Date: n/a
Last Updated using manual update on Tue Oct 1 04:39:34 2024
Last Update Attempt: Tue Oct 1 06:19:03 2024

Internet service database includes Botnet C&C IP information. The current FortiGuard database version details are available at: Anti-Botnet Services.

If the database is not updated, verify the FortiGuard connectivity and run the below command to get the latest updates from the FortiGuard server.

execute update-now

Once the database is up to date, apply the DNS filter and IPS profile to the FortiGate policy with the below options enabled.
Edit the DNS filter profile and Enable Redirect botnet C&C requests to Block Portal:

CLI commands to apply the setting:

config dnsfilter profile
    edit <profile name>
        set block-botnet enable
    next
end

Edit the IPS profile, under Botnet C&C, and set Scan Outgoing Connections to Botnet Sites to Block.

CLI commands to apply the setting:

config ips sensor
    edit <profile name>
        set scan-botnet-connections block
    next
end

Apply the DNS filter IPS profile in the FortiGate IPv4 policy, which allows the DNS service and Internet access to the local network.

• If any Bot tries to communicate with the botnet server using a domain name, the FortiGate DNS filter will block the DNS query and resolve the domain name to the redirected IP.
  
  

date=2024-10-01 time=07:45:35 eventtime=1727793935152332727 tz="-0700" logid="1501054601" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=1 srcip=172.31.195.2 srcport=60981 sdstip=8.8.8.8 dstport=53 dstcountry="United States" dstintf="port1" dstintfrole="undefined" proto=6 profile="default" xid=24839 qname="iksamen.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetdomain="iksamen.com"

• If any Bot tries to communicate with the botnet server IP, the FortiGate IPS profile will block the access:

date=2024-10-01 time=07:26:55 eventtime=1727792815627592077 tz="-0700" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="root" msg="Botnet C&C Communication." severity="critical" srcip=172.31.195.2 srccountry="Reserved" dstip=1.123.37.68 dstcountry="Australia" srcintf="port4" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=53335 action="dropped" srcport=60798 dstport=80 proto=6 service="HTTP" policyid=1 poluuid="1170843e-7ffa-51ef-661c-df6d52a217d3" policytype="policy" profile="default" direction="outgoing" attack="NanoCore" attackid=7630215 ref="http://www.fortinet.com/be?bid=7630215" crscore=50 craction=4 crlevel="critical"