Command and Control Servers Overview
The Command and Control (C&C) servers page lists information on servers that have attempted to contact and compromise hosts on your network. A C&C server is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. Botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack.
C&C and Geo IP filtering feeds are only available with ATP Cloud premium license.
When managing ATP Cloud with Security Director, you must select ATP Cloud realm from the available pulldown.
When a host on your network tries to initiate contact with a possible C&C server on the Internet, the SRX Series device can intercept the traffic and perform an enforcement action based on real-time intelligence feed information that identifies the C&C server IP address and URL.
Export Data—Click the Export button to download C&C data to a CSV file. You are prompted to narrow the data download to a selected time-frame.
Report False Positives—Click the FP/FN button to launch a new screen which lets you send a report to Juniper Networks, informing Juniper of a false position or a false negative. Juniper will investigate the report, however, this does not change the verdict. If you want to make a correction (mark system as clean) you must do it manually.
Table 1 provides the following information available on the C&C page.
Field |
Definition |
---|---|
C&C Server |
The IP address of the suspected command and control server. |
C&C Threat Level |
The threat level of the C&C server as determined by an analysis of actions and behaviors. |
Hits |
The number of times the C&C server has attempted to contact hosts on your network. |
C&C Country |
The country where the C&C server is located. |
Last Seen |
The date and time of the most recent C&C server hit. |
Protocol |
The protocol (TCP or UDP) the C&C server used to attempt communication. |
Client Host |
The IP address of the host the C&C server attempted to communicate with. |
Action |
The action taken on the communication (permitted or blocked). |