Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Denial of Service "UDP Flood Attack" attack detected.

Created: 09 Sep 2011 | 11 comments

Hello,

We a teacher who gets a denial of service "UDP flood attack" attack detected every time she uses your work laptop at home. She can use it at work without any problems. This is the complete log messge on SEP. The version we use is 11.0.6005.562. Any help solving this would be appreciated. Thanks

Comments 11 CommentsJump to latest comment

thatdude's picture

You need to upgrade. I was one of the first to report this issue and it has been fixed in later releases. You could also add the DNS and/Or home rOuter gateway address to the IPS exclusion. The last option is to disable the DOS option.

Mithun Sanghavi's picture

Hello,

Please Migrate the SEP to the Latest version.

Here is an Article for the same - 

Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.

http://www.symantec.com/docs/TECH132161

 

Release notes for Endpoint Protection and Network Access Control 11
 

 

Resolved a UDP flood attack false positive

 

Fix ID: 2058022
Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6, the client detects a UDP flood attack.
Solution: The UDP flood detection thresholds were modified to reduce the occurrence of false positive flood attacks.

 

 

Migrating to Symantec Endpoint Protection 11.0.7000 (RU7)
 
 
 
 
Hope this helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pipta@olgchs.org's picture

Denial of Service "UDP Flood Attack" attack detected.

Description:

 An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.

 

 

 

Traffic from IP address 192.168.1.1 is blocked from 9/5/2011 7:55:59 PM to 9/5/2011 8:05:59 PM.

pipta@olgchs.org's picture

I thought that's what I would have to do. I was hoping there was a work around considering we have already started the school year.Would the newer version be able to use the same client agent already installed on the laptops and desktops? Thanks

Mithun Sanghavi's picture

Hello,

Migration would include:

1) Migration of SEPM on the Server.

2) Migrating of SEP clients on all machines.

No Uninstallation is required.

The Article below would help you do the same:

 

Migrating to Symantec Endpoint Protection 11.0.7000 (RU7)
 
 
Hope that answers!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pipta@olgchs.org's picture

Thank you, much appreciated. Hopefully I can remember my password for fileconnect.

Mithun Sanghavi's picture

Hello,

Fileconnect website does not require a Password, it requires a Serial Number and it is provided to you on your Paper License (.pdf Format)

The Serial Number may start with the Letter "M"

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

khaskins82's picture

Have you checked the possiblity that there may be an infected PC on the home network?

pipta@olgchs.org's picture

I have already downloaded 11.0.7x. I did give that a thought, however this teacher contends she only uses her work laptop at home and I checked the client on her machine and everything is okay.Thanks

JACrane's picture

I have a 1 year old HP laptop running IE7 with a wireless connection to a home router that has developed similar denial of service problem "UDP Flood attack" which randomly occurs and results in an active response for 30min.  This problem has been occuring for 2 months now.  I have not done any upgrades to symantec in the past year, other than what is automatically delivered.  It is running version 11.0.6005.562 and is on a home network with a laptop running XP with a wireless connection and a desktop running XP which is hard wired.  Both of these old machines run version 10.1.9.9000, and I have not see a any problem with them, but files are shared across the home network for printing.  Do I need to upgrade symantec on the two old machines.

thanks

.Brian's picture

Yes, upgrade to the latest version, RU7

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.