You suspect one or more hosts in your network may have unwittingly been recruited into a botnet.
How can you tell?
There are several indicators you can hunt for, including:
- A sudden spike in outbound traffic on UDP or TCP port 53 relative to normal volume for that host and/or in that network and/or system role), particularly to destinations other than approved recursive or authoritative nameservers
- Appearance of or increase in outbound traffic on TCP port 6660-6669 from host in question
- Attempted connections to known command-and-control (C2) servers
- DNS queries for known C2 fully-qualified domain names
- A sudden spike in outbound traffic on TCP port 25 (relative to normal)
The presence of one or more of these indicators may warrant further investigation. However, do not automatically assume malicious activity. Always verify your assumptions.