Command and Control Servers: More Information
Command and control (C&C) servers remotely send malicious commands to a botnet, or a network of compromised computers. The botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack.
When a host on your network tries to initiate contact with a possible C&C server on the Internet, the SRX Series Firewall can intercept the traffic and perform an enforcement action based on real-time feed information from Juniper ATP Cloud. The Web UI identifies the C&C server IP address, it’s threat level, number of times the C&C server has been contacted, etc.
An FP/FPN button lets you report false positive or false negative for each C&C server listed. When reporting false negative, Juniper ATP Cloud will assign a C&C threat level equal to the global threat level threshold you assign in the misc configuration (Configure > Misc Configuration).
Juniper ATP Cloud blocks that host from communicating with the C&C server and can allow the host to communicate with other servers that are not on the C&C list depending on your configuration settings. The C&C threat level is calculated using a proprietary algorithm.
You can also use the show services security-intelligence
statistics or show services security-intelligence statistics
profile profile-name CLI commands to view
C&C statistics.
user@root> show services security-intelligence statistics
Category Whitelist:
Profile Whitelist:
Total processed sessions: 0
Permit sessions: 0
Category Blacklist:
Profile Blacklist:
Total processed sessions: 0
Block drop sessions: 0
Category CC:
Profile cc_profile:
Total processed sessions: 5
Permit sessions: 4
Block drop sessions: 1
Block close sessions: 0
Close redirect sessions: 0
Category JWAS:
Profile Sample-JWAS:
Total processed sessions: 0
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
Category Infected-Hosts:
Profile hostintel:
Total processed sessions: 0
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0In the following example, the C&C profile name is cc_profile.
user@root> show services security-intelligence statistics profile cc_profile
Category CC:
Profile cc_profile:
Total processed sessions: 5
Permit sessions: 4
Block drop sessions: 1
Block close sessions: 0
Close redirect sessions: 0You can also use the show services security-intelligence
category detail category-name category-name feed-name feed-name count number start number CLI command to view more information about
the C&C servers and their threat level.
Set both count and start to 0 to display all C&C servers.
For example:
user@root> show services security-intelligence category detail category-name CC
feed-name cc_url_data count 0 start 0
Category name :CC
Feed name :cc_url_data
Version :20160419.2
Objects number:24331
Create time :2016-04-18 20:43:59 PDT
Update time :2016-05-04 11:39:21 PDT
Update status :Store succeeded
Expired :No
Options :N/A
{ url:http://g.xxxxx.net threat_level:9}
{ url:http://xxxx.xxxxx.net threat_level:9}
{ url:http://xxxxx.pw threat_level:2}
{ url:http://xxxxx.net threat_level:9}
...