Our network edge security provider never sleeps. Another day, another missive:
Kindly be informed that we are getting suspicious traffic from the below IPs to 220.127.116.11 and 18.104.22.168
The source IPs are : <bunch of internal IP addresses>
On our gentle inquiry what kind of traffic they’re getting and what makes said traffic suspicious, we got following response:
First we need to know from the customer if there is a legal traffic between the mentioned sources and destinations.
If it’s legal what kind of communication is this. And the rate of requests per second.
Based on those information we can provide you with more details.
Probably should write them back that these VMs are infected by the botnet called DNS.