Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

New 1GB Router Denial of Service is Logged

Created: 16 Jun 2013 | 5 comments

All the previous threads are very dated... And, Locked...

I recently upgraded my Home Wireless Router to a Netgear WNDR3700. Going from a

Linksys 10/100 Wired/Wireless G to a 1GB wired dual band G/N.

My Symantec is as updated as can possibly be for version 11.0.5000,550 running

Live Update All daily.

I have mitigated the problem somewhat by reducing the time out to 1 second.

I am NOT a Network Guru and I am at a loss to know how to tell whether this is a

'UDP Flood' situation because of the increased bandwidth or a "real" DOS attack.

The reason I upgraded was to support my new Silicon Dust HDHomerun Prime HD (3

Tuners) DVR system. I am concerned that this problem will occur during a

recording session and blow it out of the water.

I am no longer on my 'Good' Laptop as it is now my Media Center (The DVR requires

Win 7 Windows Media Center to work). So, I can't say for sure if it is actually

happening there or not. (The one I am one most is now a Dell Latitude D600! Great

for e-mail and FB :) )

Primary concern is how to tell if it is a real DOS attack or not...

Secondary, is I am still getting (assumed - Firefox can't fid server) DNS

handshaking misses. (Using IE8 Right now as default)

Of course... I may have the router set up wrong, too...

Sorry for any spelling errors as IE8 has no spell checker and Specie doesn't seem

to work on the forum...

Mike Sr.

I HATE consumer oriented products that leave out all the techie stuff! Which is

what Netgear has done with this router!

Very frustrating to be 60 and having been 'playing' with computers and programming since 17 and be at a total loss...

Posting was a nightmare... I hope I got it right???

Operating Systems:

Comments 5 CommentsJump to latest comment

Rafeeq's picture

Dos attack is more of signature match, even if i have a genuine application and it sends too much of ping , outgoing traffic then it will log DOS attack

Unexpected outbound Denial of Service (DoS) attack

 

 http://www.symantec.com/business/support/index?page=content&id=TECH132487

if you are sure that the traffic is from your know application then you can safely ignore it

a screen shot will be more helpful to know what signature ( SID) is blocking it.

SpiritualMadMan's picture

Here's The security Log... I note that there are no 'Application' shown as being at fault, and all from the same Address. I am suspecting that this address is the HDHomerun Prime trying to see if any Windows media Center(s) are on-line...

As at the time of this action only the HDHomerun Prime and the laptop are 'wired' this may have solved the issue...

So, if I understand all the previous threads, the 'cure' is to add the HDHomeRun Primes IP to the exclusion list?

So...  How would I go about 'Excepting' 192.168.1.3 ?

untitled.JPG
Rafeeq's picture

is this a managed client or unmanged SEP? do you have Symantec endpoint protection manager installed?

Rafeeq's picture

if you are on self managed (unmanaged )

( to find out, open SEP interface- click on help and support - > troubleshooting-.> do you see server as offline or Self Managed )  If it says Unmanged.

then you go to Change Settings >> Configure Settings under NTP and on the Firewall tab there is an option to Enable denial of service detection. You can test it out by unchecking to see if it stops.

If you are using an unmanaged client than this will be the only way as you cannot add exceptions for the source for IPS detection.

or
Open SEP-GUI
Network Threat Potection -Options -Configure Firewall Rules
Add rule Allow all -Under Network add IP address 

.Brian's picture

This was a known issue with this version. It is a false positive.

Is this a managed or unmanaged version of SEP?

Is there no chance you can upgrade? This version is pretty old (2+ years). I assume you can't but just wanted to check. I know this was fixed in a later version.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.