Difference between revisions of "WAF 370145"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |title= Rule 370145 |header1 = Status: Active |header2 = Alert Message: <br>Atomicorp.com WAF Rules: Known wormsign }} = Description = This rule detects the Pushdo...")
 
m (Description)
Line 7: Line 7:
 
= Description =
 
= Description =
  
This rule detects the Pushdo botnet's "smokescreen" connections.  These connections are used by the botnet to hide its connections by connecting to sites that are not part of the botnet.   
+
This rule detects "smoke screen" connections from Pushdo botnet clients.  These connections are used by the botnet, on the remote client, to hide its connections by connecting to sites that are not part of the botnet.   
  
These connections do not mean the system has been compromised by this botnet.
+
These connections do not mean your system has been compromised by this botnet.  The botnet generates "smoke screen" or cover traffic to hide from the remote client in the "noise" generated by all the bogus connections.  The intent is to try to prevent the remote client from detecting the botnets connections.
 +
 
 +
These connections to your system, however, may present a Distributed Denial of Service risk if there are a large volume of compromised clients connecting to your system.  To help alleviate this, this rule will "drop" the connection from the client and will not return an error.  This is to reduce the load on the web server.  If [[ASL]] is being used, ASL will shun the compromised clients with a firewall rule.
  
 
= Troubleshooting =
 
= Troubleshooting =

Revision as of 15:22, 19 September 2012

Rule 370145
Status: Active
Alert Message:
Atomicorp.com WAF Rules: Known wormsign

Contents

Description

This rule detects "smoke screen" connections from Pushdo botnet clients. These connections are used by the botnet, on the remote client, to hide its connections by connecting to sites that are not part of the botnet.

These connections do not mean your system has been compromised by this botnet. The botnet generates "smoke screen" or cover traffic to hide from the remote client in the "noise" generated by all the bogus connections. The intent is to try to prevent the remote client from detecting the botnets connections.

These connections to your system, however, may present a Distributed Denial of Service risk if there are a large volume of compromised clients connecting to your system. To help alleviate this, this rule will "drop" the connection from the client and will not return an error. This is to reduce the load on the web server. If ASL is being used, ASL will shun the compromised clients with a firewall rule.

Troubleshooting

False Positives

None.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

None. It is not recommended that you disable this rule. However if you wish to, please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

New Pushdo variant infects more than 100k computers

Pushdo botnet's smokescreen traffic hits legitimate websites

Notes

None.

Personal tools