Internal IP's hitting sinkhole policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Internal IP's hitting sinkhole policy

L3 Networker

Hello all,

We have a sinkhole configured on our PA440, and we're seeing some IP's hitting it and getting sinkholed, there's 1 endpoint that's an old NT4 legacy machine that runs on our production environment. And other ones that are windows and probably wifi endpoints like phones. I have no way of scanning the old NT4 box, and that only ran our production app made for manufacturing. The other endpoints showing on the sinkhole log that are windows 10 do have anti malware and is monitored by our mssp. Should I open a PAN support ticket and have then analyze pcaps?

Thanks in advanced.

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @cdcirexx ,

 

If you have Premium support on your NGFW, you could open a PANW support ticket with the Security Assurance service.  https://www.paloaltonetworks.com/services/solution-assurance/premium-support

 

If you don't have Premium support, I do not know if they will help you.

 

The most common causes of DNS sinkholes in my environment have been (1) ads where a safe website redirected the user to a blocked domain, or (2) false positive such as mask.apple-dns.net which is blocked as a proxy avoidance or anonymizer.  I think it is used by iCloud.

 

The 1st thing that you would want to do is determine the domain requested.  If you do not have an internal DNS server or you have a NGFW between your user and DNS server, you can see the domain under Monitor > Logs > Threat ( action eq 'sinkhole' ).  If you have an internal DNS server, the source IP address for those logs will be it.  You would check the logs on the DNS server.  If you have EDR software on the endpoint, it may also record the activity.  Otherwise, you may need a packet capture as you mentioned.

 

After you determine the sinkholed domain, you will need to determine what process initiated the request.  That's even harder.  EDR software can help significantly.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

Cyber Elite
Cyber Elite

Hello,

Unless required, I would lock down those systems into their own VLAN and locked down by security policies. As well as restrict access to the internet. If the systems are that old, maybe just keep blocking the traffic or find an older scanner that can scan the systems.

Regards,

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hi @cdcirexx ,

 

If you have Premium support on your NGFW, you could open a PANW support ticket with the Security Assurance service.  https://www.paloaltonetworks.com/services/solution-assurance/premium-support

 

If you don't have Premium support, I do not know if they will help you.

 

The most common causes of DNS sinkholes in my environment have been (1) ads where a safe website redirected the user to a blocked domain, or (2) false positive such as mask.apple-dns.net which is blocked as a proxy avoidance or anonymizer.  I think it is used by iCloud.

 

The 1st thing that you would want to do is determine the domain requested.  If you do not have an internal DNS server or you have a NGFW between your user and DNS server, you can see the domain under Monitor > Logs > Threat ( action eq 'sinkhole' ).  If you have an internal DNS server, the source IP address for those logs will be it.  You would check the logs on the DNS server.  If you have EDR software on the endpoint, it may also record the activity.  Otherwise, you may need a packet capture as you mentioned.

 

After you determine the sinkholed domain, you will need to determine what process initiated the request.  That's even harder.  EDR software can help significantly.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L3 Networker

Hello Tomyoung,

Thanks for the reply, yeah we do have internal DNS and they show on the threat logs sinkholing a bunch of random domain names like zxxyyrf.com, I'm sure they are malicious domains. We have a mssp that's got things in place like SIEM and XDR from Fortinet, on our DC's they installed a device called Stellar cyber and it collects a bunch of logs. They said this would show up on their systems if something does come up.

 So could those just be ads our internal clients are trying to reach out to? When I typed the ip address of the pan sinkhole, that's when I saw some endpoints reaching out to it. Our mssp thinks we have some kind of C2 that's reaching out to it's main hosts.

Thanks again.

Cyber Elite
Cyber Elite

Hello,

Unless required, I would lock down those systems into their own VLAN and locked down by security policies. As well as restrict access to the internet. If the systems are that old, maybe just keep blocking the traffic or find an older scanner that can scan the systems.

Regards,

Cyber Elite
Cyber Elite

Hi @cdcirexx ,

 

Those domains do not look good.  They do not look like ads.  @OtakarKlier has some good ideas about quarantining those devices.  I would reach out to your SIEM/XDR MSSP for the next steps.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L3 Networker

Thanks to all the informative answers guys, I do have all my production machines in their own vlan and blocked from internet access. And after having a chat with our mssp, their advising to put a FG firewall in front of the PA440, I was trying to let them know if may not make a difference or might cause performance issues, they're concerned that the PA440 might have allowed the C2 malware in. Our company is working on getting our CMMC certification, so this is causing concern among upper management.

Cyber Elite
Cyber Elite

If it is a FG in L2 mode only for the incident, then fine.  As long as it gets them looking at the machines.  Their most pressing task is to do incident response (IR) on the machines.  If they are arguing for a permanent solution, then they need to refocus on IR.

Help the community: Like helpful comments and mark solutions.

Yes, I suggested to put the FG in transparent mode, I think they are agreeing on it, we'll see how it goes next week, we're supposed to meet with them on the next steps.

  • 2 accepted solutions
  • 506 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!