02-25-2019 09:34 AM - edited 02-20-2020 09:08 PM
I'm trying to figure out an interesting case I have on hand. Our SF IPS-es running on 6.1.0.3 (build 57) are detecting this CNC torpig bot sinkhole server DNS lookup events coming from our Internal Barracuda ESGs. We had called Barracuda technical support but they can't find from their side what is causing the issue. I talked to Cisco TAC and they believe there is a client relaying DNS queries thru these barracuda boxes. Has anyone experienced this same issue I'm having?
03-25-2019 02:07 PM
Hello antonioa, I am experiencing this issue as well right now. Was this issue ever resolved?
05-10-2019 03:30 AM
Hello,
We are seeing a similar issue, did either manage to find the problem?
05-10-2019 07:55 AM
Still not resolved on my end.
05-24-2019 07:16 AM
I am also seeing this particular situation.
06-07-2019 01:29 PM
01-22-2020 10:14 AM
I had the same issue/event.
From previous inquiries to Barracuda support I know that the Barracuda will parse an email and follow the links looking for nefarious content
Googling the error I find that what's happening is someone is doing a DNS lookup on a known Botnet, that lookup is being redirected to a "sinkhole" server that will blackhole the attempted Bobnet connection.
Unless your Firepower is in Drop mode, you should see that the Barracuda (hopefully) blocks this email.
Pete
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide