Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Denial of Service "Smurf" attack detected

Created: 09 Jan 2013 | 3 comments

We provided a freshly imaged desktop to an employee who started receiving following notification from SEP12 network threat protection log,

Denial of Service "Smurf" attack detected

 

The direction is outgoing (from his machine) to s machine (another user PC) which is in a totally different subnet.

As an example originating IP is : 10.x.x.x and the remote host is 172.X.X.X

The protocol is ICMP

I am pretty sure this is false positive, but like to understand what Symantec may have detected as a Smurf attack ?

Is it DHCP traffic ? Even if it is DHCP traffic, the remote host is a PC (not a server)

I like to hear explanations on how this could have happened.

 

Thanks

 

 

Comments 3 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Check this artical

Demystifying Denial-Of-Service attacks, part one

https://www-secure.symantec.com/connect/articles/d...

Check this thread

https://www-secure.symantec.com/connect/forums/den...

 

Vikram Kumar-SAV to SEPSYMANTEC EMPLOYEEACCREDITED

You have to Login to the server on which the SEPM is installed.
TO check where your SEPM is open SEP - Help and Support - Troubleshooting

it will show you the server name or IP.

If you do not have access to the SEPM server then

Open SEP client- Network Threat Protection -Options -Change Settings- Intrusion Prevention -
and from there you can disable Denial of Service detection.

http://www.symantec.com/security_response/attacksi...

Thanks In Advance

Ashish Sharma

 

 

.Brian's picture

It sounds like a possible falso positive. You would need to scan the machine causing the DoS to ensure it is not infected with something. Basically a large amount of ICMP packets are sent. SO for example if someone did a ping -l 65000 [hostname] this could cause it

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Check the Article below. It describes DOS attacks and how they work.

If you can understand how they work then you will understand how to protect yourself against them. Look at the SMURF attack part specfically.

https://www-secure.symantec.com/connect/articles/demystifying-denial-service-attacks-part-one

The steps you need to take to protect yourself from SMURF attacks can be done more through your operating system rather than your Anti-Virus software. Again that information can be taken from the article above. 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.