Denial of service detected on Network Printers

Article:TECH139213  |  Created: 2010-09-06  |  Updated: 2011-02-18  |  Article URL http://www.symantec.com/docs/TECH139213
Article Type
Technical Solution


Issue



When clients with Intrusion Prevention (IPS) installed try to print using a network printer, they receive an error message that indicates a Denial of Service attack. 


Error



A pop-up will appear indicating the traffic has been blocked on the client.

"The traffic from IP xxx.xxx.xxx.xxx was blocked. The Denial of Service was registered."

In addition, the logs will show the following: 

Denial of Service "UDP Flood Attack" attack detected. Description:  An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.   
Active Response    Traffic from IP address x.x.x.x is blocked from 2/13/2011 8:25:49 PM to 2/13/2011 8:35:49 PM.
 


Cause



Some printer communications are over UDP using raw mode. If the printer sends too many UDP packets within a set time period, the UDP Flood Attack detection is triggered. 


Solution



Check the Security Logs under Client Management for Denial of Service Detections for the printer's IP address to confirm the issue. 

To resolve the issue you will need to disable Denial of Service detection within your Instrusion Prevention policy or you will need to add the printer's IP address in "Excluded Hosts."

To add the printer to "Excluded Hosts":

1.  Open your Intrusion Prevention Policy.

2.  Choose to Settings on the left. 

3.  Check the box for Enable excluded hosts and then click the Excluded Hosts... button.  

4.  Add the IP address of your printer and choose Okay.  




Article URL http://www.symantec.com/docs/TECH139213


Terms of use for this information are found in Legal Notices