Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

False Denial of Service "IP Fragmentation Overlap" attack detected

  • 1.  False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 13, 2013 09:31 PM

    I'm trying to use a digital x-ray machine that communicates via an IP protocol on a Windows 7 64 bit SP1 machine with Symantec Endpoint Protection version 11.0.6005.562. Every time I try to acquire an image Symantec detects a Denial of Service "IP Fragmentation Overlap" attack and blocks the traffic from the IP address for 60 seconds. This results in our machine erroring out and not acquiring any image data. Is there a way to exclude Denial of Service attacks from specific IP addresses or UDP/TCP ports (or any other way to resolve this issue)? I can change the settings for Network Threat Protection to disable denial of service detection completely, but I'd rather not do that. Any ideas?



  • 2.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 13, 2013 09:35 PM

    I've already set firewall exceptions for the specific UDP and TCP ports that our machine communicates at.



  • 3.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 13, 2013 09:36 PM

    This is known issue in this version.

    Similar thread here:

    https://www-secure.symantec.com/connect/forums/ddos

    And the KB article for it:

    Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.

    Article:TECH132161  |  Created: 2010-01-01  |  Updated: 2010-08-17  |  Article URL http://www.symantec.com/docs/TECH132161

     

    Ideally, you will need to upgrade. Otherwise, you can add the IP to the exluded hosts list in the policy on the SEPM.

    Setting up a list of excluded computers

    Article:HOWTO81159  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO81159

     



  • 4.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 13, 2013 09:43 PM

    You are running on SEP 11.0.6005. This issue has been fixed in Symantec Endpoint Protection 11 Release Update 6 Maintenance Patch 1 (RU6 MP1).  11.0.6100.645.

    What are the Symantec Endpoint Protection (SEP) versions released officially?

     

    https://www-secure.symantec.com/connect/articles/what-are-symantec-endpoint-protection-sep-versions-released-officially

    Upgrade your SEP to the latest version.

     

    Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control

    http://www.symantec.com/docs/TECH103088



  • 5.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 15, 2013 04:48 AM

    Sounds like a known issue, do go through SEP release notes times to times..

    you may try to match your version and issue there



  • 6.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 26, 2013 01:29 PM

    I have updated my Endpoint Protection to version 11.0.7300.1294, and the issue has not been resolved. Since updating the Symantec software, the false denial of service has only occurred intermittently, whereas before the update every scan was interrupted by Symantec. If I disable the services in Computer Management, there are no issues, but that is not a viable long term solution.

    An example of what the denial of service attack looks like when attempting to acquire an image (where xxx is all the same number and the real MAC addresses are left off):

    Time Event Type Severity Direction Protocol

    Remote Host

    		 Remote MAC Local Host Local MAC Begin Time End Time
    8:53:25 AM Active response disengaged Information None None 192.168.xxx.2 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 8:53:26 AM 8:53:26 AM
    8:53:25 AM Denial of Service Major Incoming UDP 192.168.xxx.2 YY-YY-YY-YY-YY-YY 192.168.xxx.1 ZZ-ZZ-ZZ-ZZ-ZZ-ZZ 8:52:24 AM 8:52:24 AM
    8:53:24 AM Active Response Major Incoming None 192.168.xxx.2 YY-YY-YY-YY-YY-YY 192.168.xxx.1 ZZ-ZZ-ZZ-ZZ-ZZ-ZZ 8:52:25 AM 8:52:25 AM

    What I've done so far:

    Network Threat Protection > Options > Configure Firewall Rules...

    • Allowed traffic to/from the specific Remote (YY... above) and Local (ZZ... above) MAC addresses 
    • Allowed traffic to/from the specific IP addresses (192.168.xxx.1-192.168.xxx.2)
    • Allowed traffic to/from the specific TCP ports
    • Allowed traffic to/from the specific UDP port

    View Logs > Client Management > View Logs > Security Log...

    • Right-clicked on each of the events and selected Stop All Active Response

    Any ideas/suggestions would be appreciated.

    Thanks,



  • 7.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 26, 2013 01:33 PM

    Creating firewall rules won't fix this.

    If you go to Change Settings >> Configure Settings under NTP and on the Firewall tab there is an option to Enable denial of service detection. You can test it out by unchecking to see if it stops.

    If you are using an unmanaged client than this will be the only way aside from updating to the latest version which was supposed to be fixed but doesn't look to be the case.

    If you are using a managed client that there are a few more options but it sounds like you are using unmanaged?



  • 8.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 26, 2013 01:36 PM

    What do you mean a managed client? One with an active service contract with Symantec?



  • 9.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 26, 2013 01:49 PM

    The SEP client would be managed by a SEPM

    Unmanaged is not and you have full control over all the settings.

    Open the client UI and go to Help >> Troubleshooting. What does it say next to Server?

     



  • 10.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 26, 2013 02:25 PM

    You were correct; this is self-managed.

    If I disable Denial of Service Detection, how vulnerable would the computer be?



  • 11.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 26, 2013 02:35 PM

    Test it first to make sure that is the issue.

    Basically, a DoS is when an attacker tries to make your PC unusable, usually by sending more traffic than what your PC can handle.

    So hopefully you haven't ticked anyone off lately cheeky but in all seriousness, there is always a risk but this may be a low risk. DoS attacks are usually targeted attacks with the intention of bringing down a website, bank, etc.

    If your a home user, the risk should be low. Personally, I would want to use this feature but if it is still broke your hands are kinda tied.

    Unfortunately the unmanaged version doesn't allow you add exceptions like a managed version would. You either turn it off or turn it on.



  • 12.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 26, 2013 04:36 PM

    Do you just have to purchase the managed version? Is their an update procedure?

    Edit: Nevermind. Apparently, you can just uninstall the self-managed version and reinstall the managed version. I will try it out and give an update if it works.



  • 13.  RE: False Denial of Service "IP Fragmentation Overlap" attack detected

    Posted Mar 26, 2013 05:17 PM

    You don't need to uninstall. You just replace the sylink file on the client with the sylink from the SEPM. It will than connect and become managed