Botnet destination block - but our web site is clean

Today, one of our client sites can no longer reach their hosted website on Godaddy. Shows in logs botnet blocked destination. We ran the site thru various online testing tools and all show it was clean. I don't want to add to an exclusion in case something is there that everyone is not reporting. How can I find out why it was blocked in the RED/Botnet DB?

Is this a ticket to WG to confirm?

Comments

  • I had a conversation yesterday with a Watchguard member.. It seems that there was a problem of botnet identification ... I had myself the same problem with OVH. Just put the FQDN in exception to fix the problem of you website.

    Botnet ID problem is on exam as far as i know.

  • I did the exclusion at the client, but left it out on our own internal FB to see if it ever clears itself. If it does not clear, I may post the ticket to WG Support to inquire if there is a procedure to clear a false positive.

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    Greetings everyone!
    WatchGuard recently added a new vendor for the Botnet IP list that all Fireboxes use. Given the large number of new IP addresses that have been added, we have received some reports of suspected false positives. Blocking by IP address is not a perfect solution but it is quite effective depending on the destination. In many cases we have a convincing amount of evidence stating that a specific IP address is exhibiting malicious behaviors for the majority of users. In this day and age of Cloud Services and NATed IP addresses, there's nothing to say that a site can't be serving both legitimate and malicious content. If you are certain the site you are visiting is indeed legitimate, please add the FQDN to the Blocked Sites exception list as described above. Also, continue to report the problem Domains and IP addresses to WatchGuard Support as we continue to make the service better for all of our customers.

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • Was this new vendor added 4/1/19? That is when I started noticing a larger spike in Botnet detection coming from destination IP addresses which has never happened before.

  • edited April 4

    Thanks for clarifying Ricardo...I will post to WG support to see if they can clear.

    Note - Appears WG ticketing is down, cannot even post a ticket at the moment.

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    @JoshuaThompson Yes the new vendor was added on 4/1/2019.

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • @Ricardo_Arroyo Thank you. How can I lookup an IP address for reputation with the new vendor?

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    Unfortunately we do not have that feature available yet. As soon as we do I will post here to inform the Community.

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • I was about to call support until I read this topic. April 1 I went from 7 attempts in the past week to over 250 in 4 days. I guess this is the new reality.

  • In France for exemple, a bunch of IPs owned by OVH are considered as botnet members.

    BV

  • Did Watchguard reverse the new changes/vendor? I haven't seen a botnet report for a few days.

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    Hello @LBrent. Yes on Friday April 5th we removed the New Vendor from the Botnet feed while we re-evaluate how we use it.

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

Sign In to comment.