Denial of service detected on Network Printers
|Article:TECH139213|||||Created: 2010-09-06|||||Updated: 2014-10-20|||||Article URL http://www.symantec.com/docs/TECH139213|
When Symantec Endpoint Protection (SEP) clients with Intrusion Prevention (IPS) installed try to print using a network printer, they receive an error message that indicates a Denial of Service attack.
A pop-up will appear indicating the traffic has been blocked on the client.
"The traffic from IP xxx.xxx.xxx.xxx was blocked. The Denial of Service was registered."
In addition, the logs will show the following:
Denial of Service "UDP Flood Attack" attack detected. Description: An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.
Active Response Traffic from IP address x.x.x.x is blocked from 2/13/2011 8:25:49 PM to 2/13/2011 8:35:49 PM.
Some printer communications are over UDP using raw mode. If the printer sends too many UDP packets within a set time period, the UDP Flood Attack detection is triggered.
Check the Security Logs under Client Management for Denial of Service Detections for the printer's IP address to confirm the issue.
To resolve the issue you will need to disable Denial of Service detection within your Intrusion Prevention policy or you will need to add the printer's IP address in "Excluded Hosts."
To add the printer to "Excluded Hosts":
- Open your SEPM's Intrusion Prevention Policy.
- Choose to Settings on the left.
- Check the box for Enable excluded hosts and then click the Excluded Hosts... button.
- Add the IP address of your printer and choose Okay.
Upgrading to the latest available release of SEP 11, or to SEP 12.1, will also minimize the number of DoS False Positive incidents.
Article URL http://www.symantec.com/docs/TECH139213