Problem Description:
I recently received a notification from my ISP. (I have validated it that it IS genuine). They notify me that they have detected “Avalanche botnet” traffic from my IP.
I need help on best/easiest way to confirm that: There IS/ARE device(s) on my network which are infected.
Relevant System Information:
I understand this is not strictly ubuntu/linux topic. However, most of the computers on my home network are running Ubuntu. couple of work laptops running win11. and a bunch of IOT devices.
If it’s relevant, I have Mikrotik router and OMADA 660 AP.
I do see a few programs online to detect the botnet. However, they run on win. What I am hoping to here (and which I am unable to easily locate online) is some sort of signature activity in my network traffic which I can detect using software like wireshark.
Also, from what I read online this botnet was taken down in 2016. So, I find this communication from ISP highly unusual.
Since you have been informed that your ISP detected suspicious traffic linked to your IP you probably should ask them what hints they have found.
Another option (which I would prefer with your network clients) would be to add a physical firewall to your network. There are free Firewall OS for home use out there (you only need appropriate hardware). For example:
Thank you @g-schick (btw I am a fan of G-Shock).
Dealing ISP is not a pleasant experience. I was hoping to avoid it. But I can, if there’s no alternative.
As to your suggestions for firewalls, the router I have is full fledged and highly capable. And when I set-it up, I think I did it well enough, though I’m not network engineer.
I will look into my existing rules and see what I can improve. And that’s one of the reasons I am looking for the signature activity, so that I can tweak the rules.
While your in router integrated firewall gives you some options a physical firewall will give you even more options on inspecting traffic, managing clients and handling packets. Even known threats may be recognized.
As far as I know botnet-clients need to connect to a command and control server - so connections to IPs or domains known to belong to such a server may be suspicious.
Wasn’t there a sinkhole server set up to identify all the avalanche clients when they shot down the botnet ? I’d try to find out the IP (or DNS name) of that sinkhole, then it should be easy to identify which of your machines tries to contact it via a simple tcpdump.
@g-schick , @ogra
Thank you. Yes. And that is something I have been looking for. the IPs of C&C.
Yes, authorities have taken down the botnet 9 years back.
I do have pihole installed, and it’s logs are helpful. And I can run wireshark ad hoc to get even more data. And even my router can give me the details.
My problem is “what to look for”. I have data.
I have the hay. Need to know what the needle looks like.