Video Screencast Help

Denial of Service "Smurf" attack detected

Created: 09 Jan 2013 | 3 comments

We provided a freshly imaged desktop to an employee who started receiving following notification from SEP12 network threat protection log,

Denial of Service "Smurf" attack detected

The direction is outgoing (from his machine) to s machine (another user PC) which is in a totally different subnet.

As an example originating IP is : 10.x.x.x and the remote host is 172.X.X.X

The protocol is ICMP

I am pretty sure this is false positive, but like to understand what Symantec may have detected as a Smurf attack ?

Is it DHCP traffic ? Even if it is DHCP traffic, the remote host is a PC (not a server)

I like to hear explanations on how this could have happened.


Comments 3 CommentsJump to latest comment

Ashish-Sharma's picture


Check this artical

Demystifying Denial-Of-Service attacks, part one

Check this thread; background-color: transparent; padding-right: 27px; float: left; margin-right: 3px; font-weight: 700; line-height: 15px; color: rgb(114, 168, 38); text-decoration: initial; background-position: 100% -75px; background-repeat: no-repeat no-repeat;">Vikram Kumar-SAV to SEPSYMANTEC EMPLOYEEACCREDITED

You have to Login to the server on which the SEPM is installed.
TO check where your SEPM is open SEP - Help and Support - Troubleshooting

it will show you the server name or IP.

If you do not have access to the SEPM server then

Open SEP client- Network Threat Protection -Options -Change Settings- Intrusion Prevention -
and from there you can disable Denial of Service detection.

Thanks In Advance

Ashish Sharma

Brɨan's picture

It sounds like a possible falso positive. You would need to scan the machine causing the DoS to ensure it is not infected with something. Basically a large amount of ICMP packets are sent. SO for example if someone did a ping -l 65000 [hostname] this could cause it

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture


Check the Article below. It describes DOS attacks and how they work.

If you can understand how they work then you will understand how to protect yourself against them. Look at the SMURF attack part specfically.

The steps you need to take to protect yourself from SMURF attacks can be done more through your operating system rather than your Anti-Virus software. Again that information can be taken from the article above. 

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.