Regarding sinkholed hosts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Regarding sinkholed hosts

L3 Networker

Hello Bros,

    We have subscribed to palo alto dns-security and the license has been applied to the device.

Rules with anti-spyware "dns-security sinkhole action enabled".

Now regarding the hosts with sinkhole action, that means these hosts trying to connect to a malicious domains.

These trials blocked but is these another recommended actions to be taken towards these hosts? Is there a recommended method to stop them from trying to connect to these malicious domains?

TIA

MR
1 accepted solution

Accepted Solutions

L7 Applicator

Hi @MRamadanAHafiez 

The recommendation would be to check these hosts if there is some sort of malware/spyware running which tries to connect to these domains. With the sinkhole feature it shows you these hosts which otherwise wouldn't be identified.

The little problem is to differentiate if it really was some sort of malware or only connections done by the users browsers which probably are the reason for most of the sinkholed connections. It's not that (my assumption) that users directly connect to these domains, these requests are because of advertisements on the actual websites or because of malicious scripts somehow get executed on the websites that the users open. 

So there is no way to fully stop clients connecting to domains whitch are redirected to the sinkhole, but it still is a very helpful feature to identify clients which should be checked.

View solution in original post

4 REPLIES 4

L7 Applicator

Hi @MRamadanAHafiez 

The recommendation would be to check these hosts if there is some sort of malware/spyware running which tries to connect to these domains. With the sinkhole feature it shows you these hosts which otherwise wouldn't be identified.

The little problem is to differentiate if it really was some sort of malware or only connections done by the users browsers which probably are the reason for most of the sinkholed connections. It's not that (my assumption) that users directly connect to these domains, these requests are because of advertisements on the actual websites or because of malicious scripts somehow get executed on the websites that the users open. 

So there is no way to fully stop clients connecting to domains whitch are redirected to the sinkhole, but it still is a very helpful feature to identify clients which should be checked.

Thank you so much Bro.

MR

L1 Bithead

If you are using XDR you can setup an IOC to alert when a client connects to the sinkhole IP.  Then put an exclusion on the the alert if it is coming from a browser and then investigate any endpoint that has a process other than a browser connecting to the sinkhole.

Thank you for participation but unfortunately we don't have XDR.

MR
  • 1 accepted solution
  • 2931 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!