Fortinet black logo

Cookbook

Botnet C&C domain blocking

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:105208
Download PDF

Botnet C&C domain blocking

FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

To configure botnet C&C domain blocking in the GUI:
  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Redirect botnet C&C requests to Block Portal.

  3. Click the botnet package link to see the latest botnet C&C domain list.

Sample

To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:

#dig canind.co
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; canind.co.                   IN      A

;; ANSWER SECTION:
canind.co.              60      IN      A       208.91.112.55  <<<==== botnet domain query blocked, redirect with portal-IP.

;; Received 43 B
;; Time 2019-04-05 09:55:21 PDT
;; From 172.16.95.16@53(UDP) in 0.3 ms
To check the DNS Filter log in the GUI:
  1. Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.

To check the DNS Filter log in the CLI:
(vdom1) # execute log filter category utm-dns

(vdom1) # execute log display 
2 logs found.
2 logs returned.

1: date=2019-04-04 time=16:43:59 logid="1501054601" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1554421439 policyid=1 sessionid=14135 srcip=10.1.100.18 srcport=57447 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=24339 qname="canind.co" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetdomain="canind.co"

2: date=2019-04-04 time=16:43:59 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554421439 policyid=1 sessionid=14135 srcip=10.1.100.18 srcport=57447 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=24339 qname="canind.co" qtype="A" qtypeval=1 qclass="IN"

Botnet C&C IPDB blocking

FortiGate also maintains a botnet C&C IP address database (botnet IPDB). If a DNS query response IP address (resolved IP address) matches an entry inside the botnet IPDB, this DNS query is also blocked by DNS Filter botnet C&C blocking.

To view the botnet IPDB list in the CLI:
(global) # diagnose sys botnet list 9000 10
9000. proto=TCP ip=103.228.28.166, port=80, rule_id=7630075, name_id=3, hits=0
9001. proto=TCP ip=5.9.32.166, port=481, rule_id=4146631, name_id=7, hits=0
9002. proto=TCP ip=91.89.44.166, port=80, rule_id=48, name_id=96, hits=0
9003. proto=TCP ip=46.211.46.166, port=80, rule_id=48, name_id=96, hits=0
9004. proto=TCP ip=77.52.52.166, port=80, rule_id=48, name_id=96, hits=0
9005. proto=TCP ip=98.25.53.166, port=80, rule_id=48, name_id=96, hits=0
9006. proto=TCP ip=70.120.67.166, port=80, rule_id=48, name_id=96, hits=0
9007. proto=TCP ip=85.253.77.166, port=80, rule_id=48, name_id=96, hits=0
9008. proto=TCP ip=193.106.81.166, port=80, rule_id=48, name_id=96, hits=0
9009. proto=TCP ip=58.13.84.166, port=80, rule_id=48, name_id=96, hits=0

To see an example of how DNS Filter botnet C&C IPDB blocking works, select an IP address from the IPDB list and use Internet reverse lookup service to find its corresponding domain name. Then from your internal network PC, use a command line tool such as dig or nslookup to query this domain and see that it's blocked by DNS Filter botnet C&C blocking. For example:

# dig cpe-98-25-53-166.sc.res.rr.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35135
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; cpe-98-25-53-166.sc.res.rr.com.              IN      A

;; ANSWER SECTION:
cpe-98-25-53-166.sc.res.rr.com. 60      IN      A       208.91.112.55  <<<====  Since resolved IP address match the botnet IPDB, dns query blocked with redirect portal IP.

;; Received 64 B
;; Time 2019-04-05 11:06:47 PDT
;; From 172.16.95.16@53(UDP) in 0.6 ms
To check the DNS Filter log in the GUI:
  1. Go to Log & Report > DNS Query to view the DNS query blocked by botnet C&C IPDB blocking.

To check the DNS Filter log in the CLI:
1: date=2019-04-05 time=11:06:48 logid="1501054600" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1554487606 policyid=1 sessionid=55232 srcip=10.1.100.18 srcport=60510 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=16265 qname="cpe-98-25-53-166.sc.res.rr.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetip=98.25.53.166

2: date=2019-04-05 time=11:06:48 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554487606 policyid=1 sessionid=55232 srcip=10.1.100.18 srcport=60510 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=16265 qname="cpe-98-25-53-166.sc.res.rr.com" qtype="A" qtypeval=1 qclass="IN"
To check botnet activity:
  1. Go to Dashboard > Status and see the Botnet Activity widget.

    If you cannot find the Botnet Activity widget, click the Settings button at the bottom right, select Add Widget, and add the Botnet Activity widget.

Botnet C&C domain blocking

FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

To configure botnet C&C domain blocking in the GUI:
  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Redirect botnet C&C requests to Block Portal.

  3. Click the botnet package link to see the latest botnet C&C domain list.

Sample

To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:

#dig canind.co
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; canind.co.                   IN      A

;; ANSWER SECTION:
canind.co.              60      IN      A       208.91.112.55  <<<==== botnet domain query blocked, redirect with portal-IP.

;; Received 43 B
;; Time 2019-04-05 09:55:21 PDT
;; From 172.16.95.16@53(UDP) in 0.3 ms
To check the DNS Filter log in the GUI:
  1. Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.

To check the DNS Filter log in the CLI:
(vdom1) # execute log filter category utm-dns

(vdom1) # execute log display 
2 logs found.
2 logs returned.

1: date=2019-04-04 time=16:43:59 logid="1501054601" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1554421439 policyid=1 sessionid=14135 srcip=10.1.100.18 srcport=57447 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=24339 qname="canind.co" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetdomain="canind.co"

2: date=2019-04-04 time=16:43:59 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554421439 policyid=1 sessionid=14135 srcip=10.1.100.18 srcport=57447 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=24339 qname="canind.co" qtype="A" qtypeval=1 qclass="IN"

Botnet C&C IPDB blocking

FortiGate also maintains a botnet C&C IP address database (botnet IPDB). If a DNS query response IP address (resolved IP address) matches an entry inside the botnet IPDB, this DNS query is also blocked by DNS Filter botnet C&C blocking.

To view the botnet IPDB list in the CLI:
(global) # diagnose sys botnet list 9000 10
9000. proto=TCP ip=103.228.28.166, port=80, rule_id=7630075, name_id=3, hits=0
9001. proto=TCP ip=5.9.32.166, port=481, rule_id=4146631, name_id=7, hits=0
9002. proto=TCP ip=91.89.44.166, port=80, rule_id=48, name_id=96, hits=0
9003. proto=TCP ip=46.211.46.166, port=80, rule_id=48, name_id=96, hits=0
9004. proto=TCP ip=77.52.52.166, port=80, rule_id=48, name_id=96, hits=0
9005. proto=TCP ip=98.25.53.166, port=80, rule_id=48, name_id=96, hits=0
9006. proto=TCP ip=70.120.67.166, port=80, rule_id=48, name_id=96, hits=0
9007. proto=TCP ip=85.253.77.166, port=80, rule_id=48, name_id=96, hits=0
9008. proto=TCP ip=193.106.81.166, port=80, rule_id=48, name_id=96, hits=0
9009. proto=TCP ip=58.13.84.166, port=80, rule_id=48, name_id=96, hits=0

To see an example of how DNS Filter botnet C&C IPDB blocking works, select an IP address from the IPDB list and use Internet reverse lookup service to find its corresponding domain name. Then from your internal network PC, use a command line tool such as dig or nslookup to query this domain and see that it's blocked by DNS Filter botnet C&C blocking. For example:

# dig cpe-98-25-53-166.sc.res.rr.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35135
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; cpe-98-25-53-166.sc.res.rr.com.              IN      A

;; ANSWER SECTION:
cpe-98-25-53-166.sc.res.rr.com. 60      IN      A       208.91.112.55  <<<====  Since resolved IP address match the botnet IPDB, dns query blocked with redirect portal IP.

;; Received 64 B
;; Time 2019-04-05 11:06:47 PDT
;; From 172.16.95.16@53(UDP) in 0.6 ms
To check the DNS Filter log in the GUI:
  1. Go to Log & Report > DNS Query to view the DNS query blocked by botnet C&C IPDB blocking.

To check the DNS Filter log in the CLI:
1: date=2019-04-05 time=11:06:48 logid="1501054600" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1554487606 policyid=1 sessionid=55232 srcip=10.1.100.18 srcport=60510 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=16265 qname="cpe-98-25-53-166.sc.res.rr.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetip=98.25.53.166

2: date=2019-04-05 time=11:06:48 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1554487606 policyid=1 sessionid=55232 srcip=10.1.100.18 srcport=60510 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=16265 qname="cpe-98-25-53-166.sc.res.rr.com" qtype="A" qtypeval=1 qclass="IN"
To check botnet activity:
  1. Go to Dashboard > Status and see the Botnet Activity widget.

    If you cannot find the Botnet Activity widget, click the Settings button at the bottom right, select Add Widget, and add the Botnet Activity widget.