Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

False Denial of Service "IP Fragmentation Overlap" attack detected

Created: 13 Mar 2013 | 12 comments

I'm trying to use a digital x-ray machine that communicates via an IP protocol on a Windows 7 64 bit SP1 machine with Symantec Endpoint Protection version 11.0.6005.562. Every time I try to acquire an image Symantec detects a Denial of Service "IP Fragmentation Overlap" attack and blocks the traffic from the IP address for 60 seconds. This results in our machine erroring out and not acquiring any image data. Is there a way to exclude Denial of Service attacks from specific IP addresses or UDP/TCP ports (or any other way to resolve this issue)? I can change the settings for Network Threat Protection to disable denial of service detection completely, but I'd rather not do that. Any ideas?

Operating Systems:

Comments 12 CommentsJump to latest comment

demoya's picture

I've already set firewall exceptions for the specific UDP and TCP ports that our machine communicates at.

.Brian's picture

This is known issue in this version.

Similar thread here:

https://www-secure.symantec.com/connect/forums/ddos

And the KB article for it:

Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.

Article:TECH132161  |  Created: 2010-01-01  |  Updated: 2010-08-17  |  Article URL http://www.symantec.com/docs/TECH132161

 

Ideally, you will need to upgrade. Otherwise, you can add the IP to the exluded hosts list in the policy on the SEPM.

Setting up a list of excluded computers

Article:HOWTO81159  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO81159

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohan Babu's picture

You are running on SEP 11.0.6005. This issue has been fixed in Symantec Endpoint Protection 11 Release Update 6 Maintenance Patch 1 (RU6 MP1).  11.0.6100.645.

What are the Symantec Endpoint Protection (SEP) versions released officially?

 

https://www-secure.symantec.com/connect/articles/what-are-symantec-endpoint-protection-sep-versions-released-officially

Upgrade your SEP to the latest version.

 

Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control

http://www.symantec.com/docs/TECH103088

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

cus000's picture

Sounds like a known issue, do go through SEP release notes times to times..

you may try to match your version and issue there

demoya's picture

I have updated my Endpoint Protection to version 11.0.7300.1294, and the issue has not been resolved. Since updating the Symantec software, the false denial of service has only occurred intermittently, whereas before the update every scan was interrupted by Symantec. If I disable the services in Computer Management, there are no issues, but that is not a viable long term solution.

An example of what the denial of service attack looks like when attempting to acquire an image (where xxx is all the same number and the real MAC addresses are left off):

Time Event Type Severity Direction Protocol

Remote Host

Remote MAC Local Host Local MAC Begin Time End Time
8:53:25 AM Active response disengaged Information None None 192.168.xxx.2 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 8:53:26 AM 8:53:26 AM
8:53:25 AM Denial of Service Major Incoming UDP 192.168.xxx.2 YY-YY-YY-YY-YY-YY 192.168.xxx.1 ZZ-ZZ-ZZ-ZZ-ZZ-ZZ 8:52:24 AM 8:52:24 AM
8:53:24 AM Active Response Major Incoming None 192.168.xxx.2 YY-YY-YY-YY-YY-YY 192.168.xxx.1 ZZ-ZZ-ZZ-ZZ-ZZ-ZZ 8:52:25 AM 8:52:25 AM

What I've done so far:

Network Threat Protection > Options > Configure Firewall Rules...

  • Allowed traffic to/from the specific Remote (YY... above) and Local (ZZ... above) MAC addresses 
  • Allowed traffic to/from the specific IP addresses (192.168.xxx.1-192.168.xxx.2)
  • Allowed traffic to/from the specific TCP ports
  • Allowed traffic to/from the specific UDP port

View Logs > Client Management > View Logs > Security Log...

  • Right-clicked on each of the events and selected Stop All Active Response

Any ideas/suggestions would be appreciated.

Thanks,

.Brian's picture

Creating firewall rules won't fix this.

If you go to Change Settings >> Configure Settings under NTP and on the Firewall tab there is an option to Enable denial of service detection. You can test it out by unchecking to see if it stops.

If you are using an unmanaged client than this will be the only way aside from updating to the latest version which was supposed to be fixed but doesn't look to be the case.

If you are using a managed client that there are a few more options but it sounds like you are using unmanaged?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

demoya's picture

What do you mean a managed client? One with an active service contract with Symantec?

.Brian's picture

The SEP client would be managed by a SEPM

Unmanaged is not and you have full control over all the settings.

Open the client UI and go to Help >> Troubleshooting. What does it say next to Server?

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

demoya's picture

You were correct; this is self-managed.

If I disable Denial of Service Detection, how vulnerable would the computer be?

.Brian's picture

Test it first to make sure that is the issue.

Basically, a DoS is when an attacker tries to make your PC unusable, usually by sending more traffic than what your PC can handle.

So hopefully you haven't ticked anyone off lately cheeky but in all seriousness, there is always a risk but this may be a low risk. DoS attacks are usually targeted attacks with the intention of bringing down a website, bank, etc.

If your a home user, the risk should be low. Personally, I would want to use this feature but if it is still broke your hands are kinda tied.

Unfortunately the unmanaged version doesn't allow you add exceptions like a managed version would. You either turn it off or turn it on.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

demoya's picture

Do you just have to purchase the managed version? Is their an update procedure?

Edit: Nevermind. Apparently, you can just uninstall the self-managed version and reinstall the managed version. I will try it out and give an update if it works.

.Brian's picture

You don't need to uninstall. You just replace the sylink file on the client with the sylink from the SEPM. It will than connect and become managed

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.