false denial of service attacks from remote office vpn computers
Created: 25 Dec 2012 | Updated: 10 Jan 2013 | 8 comments
This issue has been solved. See solution.
Hi
I have main and remote office connected by VPN. Users in remote office are mapping netwrok drives to server in main office.
SEP detects Ddos attack and blocks all traffic on server for a while.
"Denial of Service "IP Fragmentation Overlap" attack detected.
Description:
An IP Fragmentation Overlap attack exploits IP's packet reassembly feature by creating packet fragments with overlapping offset fields, making it impossible for your system to reassemble the packets properly."
So I get netwrok problems with server in main office. I think that problem is in mapping network drives over VPN.
How can I configure firewall policy to avoid such errors?
Help. thank you
Comments 8 Comments • Jump to latest comment
HI,
Check this thread may be help
https://www-secure.symantec.com/connect/forums/denial-service-ip-fragmentation-overlap-attack-detected
https://www-secure.symantec.com/connect/forums/ip-fragmentation-overlap
Check this.
Clients report Denial of Service attack (IP Fragmentation overlap) when no overlap is occurring
Fix ID: 1586674
Symptom: When connected over a VPN, a false positive Denial of Service detection (IP fragmentation overlap) causes the Web site to be blocked for 10 minutes.
Solution: Corrected how the last IP fragmentation packet is identified to properly calculate the packet length.
http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH103087
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
ashish,
I have 12.1 version of SEP. your link describes fixes for 11.0 version. So the problem still remains in new version.
temporary solution is to disable firewall policy for remote vpn computers and servers.
I think I should better tune firewall rules like "block local file sharing to remote computers".Isn't it?
I will test it later. Now I just disabled firewall policy.
Hello,
What version of SEP 12.1 are you running? Make sure you are running the Latest version of SEP 12.1 RU2
Are you using Barracuda NG VPN Software??
If yes, this issue has been resolved in the SEP 12.1 RU1 MP1 and above. It is requested you to please migrate to the Latest version of SEP 12.1 RU2.
If you are planning to upgrade or migrate to Symantec Endpoint Protection 12.1.2, please take a look at the latest how-to article below:
Best practices for upgrading to Symantec Endpoint Protection 12.1.2
http://www.symantec.com/docs/TECH163700
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
I upgraded SEPM yesterday to 12.1.2. But clients still have 12.1.671.4971 release. I think they need some time.
No, I'm not using barracuda software.
Hello,
Please Migrate the Clients to the Latest version of SEP 12.1 RU2 and let us know if that helps!!
For Best Practices on Migration, you can use the Article provided in the comment above.
Please update this Thread with the results once you have the clients migrated.
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Upgrade the client to the latest version and test again.
SEP Knowledge Base
Endpoint SWAT
Hi,
Thanks for the writing your query in Symantec community.
You can check SEP fix notes here:
http://www.symantec.com/business/support/index?pag...
SEP 12.1 latest version is SEP 12.1 RU2
Check till date SEP release here: http://bit.ly/m0vOJp
Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.&
hi guys
After updating clients to 12.1.2 and two weeks of monitoring I've not encountered the problem.
thank u for you support.
Would you like to reply?
Login or Register to post your comment.