My ISP blocked my account because a computer in the network is the part of the botnet, and it was used in a fast flux domain. Type of infection was sinkhole. I don’t really know what all of that means, but can be something done on the Mikrotik itself to prevent that from happening in the future?
Thanks
There is no general solution to block bots/trojans/etc. They are all different. You can install an IDS to detect suspicious botnet/CnC traffic. There are also couple of lists with known Botnet CnC server ip addresses. For example www.abuse.ch is providing backlists for Zeus/spyeye/palevo/feodo malware.
Hunting for compromised hosts is a ongoing task and can not easily done with some generic firewall rules.
Hi guys
interesting topic i came across, i have setup a monitoring tool to monitor all our traffic and recently we are seeing alot of traffic from certain IPs.. named bot-smokeloader, bot-ponyloader trying to connect on our ASN network.
i was wondering if there is any way to block this traffic manually based on the IDS like its showing on the monitoring tool cymru.
Any ideas on how this is done on the mikrotik?
Well the issues.
a. you give access to the internet to users.
b. they click/phish/visit sites and get infected.
Now all that bad traffic is allowed outbound and the computer is now toast!
How to stop bad outbound traffic within all the regular allowed internet traffic is your question I guess.
Check out this as a potential answer because they do all the legwork for you to help detect and stop such activities within the capabilities of the router.
https://itexpertoncall.com/promotional/moab.html