Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

false denial of service attacks from remote office vpn computers

Created: 25 Dec 2012 • Updated: 10 Jan 2013 | 8 comments
This issue has been solved. See solution.

Hi

I have main and remote office connected by VPN. Users in remote office are mapping netwrok drives to server in main office. 

SEP detects Ddos attack and blocks all traffic on server for a while. 

"Denial of Service "IP Fragmentation Overlap" attack detected.
Description:
An IP Fragmentation Overlap attack exploits IP's packet reassembly feature by creating packet fragments with overlapping offset fields, making it impossible for your system to reassemble the packets properly."

So I get netwrok problems with server in main office. I think that problem is in mapping network drives over VPN.

How can I configure firewall policy to avoid such errors?

Help. thank you

Comments 8 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Check this thread may be help

https://www-secure.symantec.com/connect/forums/denial-service-ip-fragmentation-overlap-attack-detected

https://www-secure.symantec.com/connect/forums/ip-fragmentation-overlap

Check this.

Clients report Denial of Service attack (IP Fragmentation overlap) when no overlap is occurring
Fix ID:
 1586674
Symptom: When connected over a VPN, a false positive Denial of Service detection (IP fragmentation overlap) causes the Web site to be blocked for 10 minutes.
Solution: Corrected how the last IP fragmentation packet is identified to properly calculate the packet length.
 

http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH103087

Thanks In Advance

Ashish Sharma

arsenalwine's picture

ashish,

I have 12.1 version of SEP. your link describes fixes for 11.0 version. So the problem still remains in new version.

temporary solution is to disable firewall policy for remote vpn computers and servers.

I think I should better tune firewall rules like "block local file sharing to remote computers".Isn't it?

I will test it later. Now I just disabled firewall policy.

Mithun Sanghavi's picture

Hello,

What version of SEP 12.1 are you running? Make sure you are running the Latest version of SEP 12.1 RU2

Are you using Barracuda NG VPN Software??

If yes, this issue has been resolved in the SEP 12.1 RU1 MP1 and above. It is requested you to please migrate to the Latest version of SEP 12.1 RU2.

If you are planning to upgrade or migrate to Symantec Endpoint Protection 12.1.2, please take a look at the latest how-to article below:

Best practices for upgrading to Symantec Endpoint Protection 12.1.2

http://www.symantec.com/docs/TECH163700

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

arsenalwine's picture

I upgraded SEPM yesterday to 12.1.2. But clients still have 12.1.671.4971 release. I think they need some time.

No, I'm not using barracuda software.

Mithun Sanghavi's picture

Hello,

Please Migrate the Clients to the Latest version of SEP 12.1 RU2 and let us know if that helps!!

For Best Practices on Migration, you can use the Article provided in the comment above.

Please update this Thread with the results once you have the clients migrated.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
.Brian's picture

Upgrade the client to the latest version and test again.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

Thanks for the writing your query in Symantec community.

You can check SEP fix notes here:

http://www.symantec.com/business/support/index?pag...

SEP 12.1 latest version is SEP 12.1 RU2

Check till date SEP release here: http://bit.ly/m0vOJp

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

arsenalwine's picture

hi guys

After updating clients to 12.1.2 and two weeks of monitoring I've not encountered the problem.

thank u for you support.