What Is A Botnet Filter On Sonicwall?
Introduction
A botnet filter indicates that the sending address of an email is listed on the Spamhaus Botnet CIDR blocklist.
A bot or “robot” is a computer program that runs automated tasks over the Internet. A person who controls a large number of computers running these programs, known as a “bot herder”, can create and control a botnet – networks of compromised computers distributed around the Internet under their control. When directed, each member of the network sends out spam or malicious content to millions more machines using third-party communications channels, such as SMTP mail servers (port 25/tcp). The combined traffic generated by all members of this network constitutes a flood against target services or systems which results in denial-of-service (DoS) to legitimate users.
Botnet and SonicWall
Botnets are a network of private computers that have been compromised by attackers and infected with malicious software. A botnet’s power lies in its numbers. They can be used to send spam, launch denial-of-service attacks, steal data, relay spam and provide an infrastructure for other nefarious actions. For a while now, spam has been on a decline thanks to legitimate e-mail providers strengthening their systems so they could withstand the onslaught of junk mail. But it seems spammers have found a new way to get around these filters by using large numbers of compromised machines -called botnets- under their control to send out their messages instead of sending them from a single source.
Botnets are becoming more and more popular among spammers because they can use the PCs of unsuspecting users to send spam. The majority of botnets consist of computers that have been infected with viruses or Trojans via e-mail attachments, chat messages, fake codecs or malicious websites. These infections often go unnoticed by the user that falls victim to them because many times there is no visible change on their computer that lets them know it has been compromised.
Sonicwall is the world’s leading provider of high-performance network security appliances with over 500,000 deployed worldwide. SonicWALL provides an extensive suite of award-winning gateways featuring intrusion prevention (IPS), anti-virus, anti-spyware, application intelligence, URL filtering, anti-spam, location-based deep packet inspection (DPI), VPN and WAN optimization to protect users from network-based threats.
Do I really need a botnet filter on my Sonicwall?
A Spamhaus Botnet CIDR blocklist can be used in SonicOS Enhanced or higher platforms, so you don’t need to have the filter installed in your hardware if you are running this version of firmware. However, having the filter will allow you to take advantage of other features including Anti-Spam, Intrusion Prevention and Application Control.
Disabling Botnet Filters:
There are two ways that you can disable the botnet filter for your particular IP address(es): 1. Disable inbound packets with source addresses matching any of the bots listed in SBL/XBL/XML feeds. This can be done by creating a TCP, UDP or ICMP firewall address/port, rule for the specific protocol and enabling the checkbox “Block incoming packets with source addresses listed in Spamhaus XBL/SBL”. 2. Disable all botnet traffic using the Sonicwall anti-botnet cloud service.
What Is A Botnet Filter On Sonicwall?
A botnet filter indicates that the sending address of an email is listed on the Spamhaus Botnet CIDR blocklist. A bot or “robot” is a computer program that runs automated tasks over the Internet. A person who controls a large number of computers running these programs, known as a “bot herder”, can create and control a botnet – networks of compromised computers distributed around the Internet under their control. When directed, each member of the network sends out spam or malicious content to millions more machines using third-party communications channels, such as SMTP mail servers (port 25/tcp). The combined traffic generated by all members of this network constitutes a flood against target services or systems which results in denial-of-service (DoS) to legitimate users.
Merits of Botnet Filter on SonicWall:
* Prevents Denial of Service attacks against your network or devices
* Controls the amount of bandwidth being consumed on the internet
* Blocks unrequested connections to public facing services, e.g. HTTP web server, FTP file transfer service etc.
Abilities of Botnet Filter on SonicWall:
* A complete view into all botnet traffic that has passed through your device(s) and includes an actionable report (Export as CSV File) to assist with any further investigation.
Weaknesses of Botnet Filter on SonicWall:
* If you see more than one of your IP’s listed then it is likely that at least one other administrator on your network has already blocked the first botnet address. You will need to contact them to confirm which IP has been blacklisted.
* There is no support for IPv6 yet (coming soon!)
* The filters only work for outbound botnet traffic; there currently isn’t a way to block inbound botnets
Conclusion:
Botnet filters on sonicwall is a good feature that every business should have. An anti-botnet spam filter can block or prevent a denial of service attack from a compromised network or device and controls the amount of bandwidth being consumed by an individual or company. It also helps to prevent public services such as HTTP web server, FTP file transfer etc., from unrequested connections, which can lead to DoS attacks. A complete view into all botnet traffic that has passed through your device(s) and includes an actionable report (Export as CSV File) to assist with any further investigation and supports IPv4 and IPv6 protocols makes it worth having one in your office today! The filters only work for outbound botnet traffic; there is currently not a way to block inbound botnets, but it is coming soon.
