topic Re: C&C Traffic Direction re China Chopper in Advanced Threat Prevention Discussions

C&C Traffic Direction re China Chopper

djr — Thu, 13 Sep 2018 08:20:00 GMT

Hi, sorry if this is a stupid question, maybe we need a Reddit-style "ELI5" forum ;o)

I have been turning a blind eye to a background hum of China Chopper alerts for some time, so I thought I would try to understand what is going on. The thing is the threat reports are showing Inbound China Chopper C&C traffic to some of our servers. It's presumably being dropped as per our profiles, but I am pretty sure we are not hosting C&C servers. I could believe we somehow got infected but I would expect that would result in Outbound C&C traffic, so why would the C&C traffic be inbound to my servers from seemingly random internet sources?

Thanks.

Re: C&C Traffic Direction re China Chopper

smc007 — Thu, 13 Sep 2018 15:27:07 GMT

My experience with this is similar, I know we don't have any infections but we get frequent China Chopper packets coming in. I have set the threatID to block because when I look at the Geo location of the source IP, it's always from questionable locations. I have been blocking this traffic for two months without any issues.

Re: C&C Traffic Direction re China Chopper

OtakarKlier — Tue, 18 Sep 2018 14:43:00 GMT

Hello,

I would say as long as your PAN is blocking/dropping the traffic inbound, you should be OK.

You can always open a TAC case to verify.

Regards,