• An internal host is communicating with a set of external IP addresses with a pattern and low data rate common to peer-to-peer command and control

Possible Root Causes

  • The internal host is infected with malware which is using peer-to-peer communication for its command and control; some botnets utilize this form of command and control as it is more resilient to attempts at disrupting or sink holing it
  • Legitimate peer-to-peer software is running idle in the background without any data (e.g. Bittorrent) or voice (e.g. Skype) transfer activity and as such exhibits patterns similar to command and control traffic

Business Impact

  • An infected host can attack other organizations (e.g. spam, DoS, ad clicks) thus causing harm to your organization’s reputation, potentially causing your IP addresses to be black listed and impacting the performance of business-critical applications
  • The host can also be instructed to spread further into your network and ultimately exfiltrate data from it
  • Software which infected the host can create nuisances and affect user productivity

Steps to Verify

  • If the detection is generated as a result of a purposely installed peer-to-peer application, make sure the software complies with IT security policy
  • If the detection cannot be attributed to such an application, the host is likely infected with a malware and should be fixed through the use of AV software or reimaged