Hi there. We've just installed a Cyberoam UTM and are getting some indications that the server is taking part in a ics.org DDoS attack. I'm used to dealing with malware on PCs but many server functions that would easily be flagged as suspicious from a desktop might just be normal on a server so I'm asking for a bit of clarification more than anything.
Anyway, I've installed the full trial of Malwarebytes to make sure nothing has been infected. The full scan comes up clean but it blocks a handful of things a day from dns.exe (outgoing port 50650) and edgetransport.exe (incoming port 25), probably 20 entries or so. Is this normal for a server?
However, the Cyberoam device is picking up a lot of "DNS isc.org DDoS" attacks (3307 hits in 2 days), appearing to be FROM the server which is worrying. Soo..
- Is this normal?
- Is there anything external that would cause the server to issue these attacks and if so , how do I block them (from SBS or the Cyberoam box)?
- If there is something wrong with the SBS2008 DNS setup, how do I fix it?
- If there's some DNS nasty on the system and malwarebytes can't see it, what else can (That's server friendly) and either free or modestly priced? The Cyberoam ought to be doing all the IPS/AV/AS scanning so we don't want to go overboard on the server with security products.
If anyone knows how to configure IPS on a Cyberoam UTM, could they please guide me through the things I need to do to block these things rather than just monitor them. Calling Cyberoam usually gets things on their devices fixed but they're not geared up for tuition.
Note that SBS 2008 is on the same subnet as all the PCs (as is usual for SBS). Server is also server for Exchange, DNS, DHCP and web (for RWW).
Edited by CtrlAltDale, 24 March 2014 - 09:20 AM.