Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

NTP network activity - please educate me!

Migration User

Migration UserFeb 15, 2010 11:09 AM

  • 1.  NTP network activity - please educate me!

    Posted Feb 12, 2010 04:18 PM
    Open SEP, click the options on network threat protection and choose network activity..........
    I'd like to know more of what I'm seeing.
    Reason is that SOMETHING is blocking PINGS to/from these DCs off and on.
    I want to discount or prove it's not SEP, or that it is if necessary.
    I do not think it is because there's no record of anything being blocked in teh logs - HOWEVER, it could still be blocking without it knowing that it blocking and thus not logging it.
    The logs show nothing being blocked as the pings are failing.
    I opened network activity in NTP in SEP, and see apps listed in the lower pane and a moving chart at the top.
    In the lower pane I see blue boxes on one or two of the apps listed now and then. They come and go.
    I do not see anyting other than a "dash" next to blocked and total at the top of the chart - does that mean anything?
    The attack history top right is a flat line, nothing.
    The blue boxes just showed up on DNS, WINS and LSASS a bit ago, then disappeared from DNS and WINS.............
    Does that mean they are active??

    I'm tasked with finding why the DCs stop pinging off and on through the day, and for extended periods at times, and to figure out what the SAS.EXE reports we got back mean - appcritical reports mean that we got back, showing weird MTU and gray hole findings..........
    SEP related or not?
    Hardware issues?
    VMWare issues?
    configuration of ASAs?

    Bandwidth constriction (3.03Mbps) detected between hop 1 (xxx.xxx.190.1) and target (111.111.14.18)
    Likely gray hole detected between hop 1 (xxx.xxx.190.1) and target (111.111.14.18)
    MTU constriction (1446 bytes) detected at target (111.111.14.18)

     I'm lost..........
     

    Attachment(s)

    zip
    sep-ips-dos-1month-2-15-10.zip   42 KB 1 version
    zip
    SEP-IPS-DOS-ping.zip   697 KB 1 version


  • 2.  RE: NTP network activity - please educate me!



  • 3.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 08:45 AM
    SEP is NOT logging that anything is being blocked. It's only stating that there is a single entry for a DOS attack. No record of it blocking anything, and I have that box unchecked (block for 600 seconds is NOt turned on)

    I'm going to have to run wireshark, but the kicker is that this is UNPREDICTABLE, so how to capture anything will be a real problem I can't capture a whole hour of all DC traffic, so what do I do, start wireshark then sit and stare at the screen for 2 or 3 hours hoping to catch something?
    Capturing DC traffic amounts to GIGS of data in just a short time, and I can't start a capture and sit back as chances are, it won't capture anything, but as sure as I end the capture, then something will happen. I can't force it to happen, and have NO CLUE where the next DOS attack will appear to come from.
    I'm still thinking that SEP is involved and blocking the pings as I can't see any other reason for the pings to be blocked.......

    Also - I've been told by a fellow in a CAR FORUM LOL - no help here - a car forum - told me that by default, VMWare ESX has a firewall running. I can't find any more info, though. But did find it intriguing that I'm getting a pretty good level of help from a car forum I run, and very little action here where it's full of networking folks! LOL, sort of funny, isn't it?
    Sort of interesting that a collector or owner of an old Rambler knows this - and no one else has hinted it.......... not even the fellow who was working on the ticket with SYmantec for me.........


  • 4.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 08:53 AM
    Here is how to check whether your ESX server firewall is enabled or disabled. If enabled you can probably disable it to check.
    http://www.petri.co.il/secure-vmware-esx-server.htm

    Would have been fun if I would have got a chance working with you back then.. 


  • 5.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 09:20 AM
    You are good...........
    Yeah, it would have.
    Now, are you anywhere close to Iowa where you could drop in for a look?
    I am starting to think the only solution is to get someone to actually LOOK at our setup. Some of this stuff has been going on for months, and we're so short-handed here, it's crazy.
    Now we can at least take a look at the ESX side of things.
    I'm still thinking SEP is somehow involved, SEP is actually blocking things even though it's stating that it's not by virtue of the lack of log entries.
    If I right click and disable SEP, the pings start again instantly...... but it's hard to tell as they will start again anyway on their own, so is it me disabling SEP that it starting the pings, or were they going to start anyway?


  • 6.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 10:16 AM
    Yes, the full ESX (not ESXi) has a firewall on by default.  However, unless you mess with things manually, ESX will usually handle configuring the firewall to allow traffic--probably from even more places then you'd like.  So I doubt the ESX firewall is getting in your way.  Plus, the ESX firewall only protects the ESX host, not the VMs that run on it.

    Also, we had a DOS-like attack hit our DCs that came from misconfigured machines.  An entire lab of computers was imaged with an image already joined to AD and they were fighting for control of the AD account.  This error caused more CPU load then network problems on the DCs, but the network traffic increased as well--some 30,000 frames comming in from each machine in only 30 seconds.  More details on that issue can be found at www.sethb.com/weblog/.  It wouldn't surprise me if a firewall were to block such activity, knowing that it is not supposed to happen.

    I would look at your ASAs as the probable source of the problem if they're involved in the traffic from affected computers to the DCs.  Esspecially check to make sure the ASAs are not overloaded and dropping packets--that might not be logged or well-logged, depending on the configuration of the ASA.



  • 7.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 10:30 AM
    A snippet if this works...... Note the name that is constant - she's not even logged in to these servers now! (and has not been for a while)
    The logs show nothing blocked.
    I have blocking turned off in the IPS screen in SEPM - unchecked where it states to block traffic......... yet for every log entry below, the DC stops taking pings.
    The vst majority are behind ASAs, but I've found two that are not - but just a single entry for those, otherwise, each machine/IP address has more than one log entry in almost every case. So some are multiple repeat offenders. Most of them are, only a few have only 1 or 2 log entries in here.
    This is critical for us as when a DC stops pinging, then people don't get their login scripts, policies, etc. - and they get a "slow connection"  result. You can't block or stop ICMP pings on a DC when you have XP clients, but something, perhaps SEP, is stopping the pings.........
    I've attached the FEB logs in the first post - unfortunately, there's nothing prior to FEB for some reason, I guess I have logging set to 30 days.....
    Default 1 2/2/2010 4:28:51 AM 2/2/2010 4:28:51 AM Denial of Service "Ping of Death" attack detected.
    4719 2/2/2010 4:45:30 AM Denial of Service Major Incoming ICMP xxx.xxx.1.24 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 4:44:28 AM 2/2/2010 4:44:28 AM Denial of Service "Ping of Death" attack detected.
    4720 2/2/2010 4:48:41 AM Denial of Service Major Incoming ICMP xxx.xxx.15.9 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 4:47:39 AM 2/2/2010 4:47:39 AM Denial of Service "Ping of Death" attack detected.
    4721 2/2/2010 4:50:56 AM Denial of Service Major Incoming ICMP xxx.xxx.26.10 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 4:49:55 AM 2/2/2010 4:49:55 AM Denial of Service "Ping of Death" attack detected.
    4722 2/2/2010 5:16:59 AM Denial of Service Major Incoming ICMP xxx.xxx.14.34 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 5:15:55 AM 2/2/2010 5:15:55 AM Denial of Service "Ping of Death" attack detected.
    4723 2/2/2010 5:44:02 AM Denial of Service Major Incoming ICMP xxx.xxx.14.18 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 5:42:58 AM 2/2/2010 5:42:58 AM Denial of Service "Ping of Death" attack detected.
    4724 2/2/2010 5:49:17 AM Denial of Service Major Incoming ICMP xxx.xxx.15.9 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 5:48:11 AM 2/2/2010 5:48:11 AM Denial of Service "Ping of Death" attack detected.
    4725 2/2/2010 6:14:50 AM Denial of Service Major Incoming ICMP xxx.xxx.14.18 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 6:13:44 AM 2/2/2010 6:13:44 AM Denial of Service "Ping of Death" attack detected.
    4726 2/2/2010 6:21:05 AM Denial of Service Major Incoming ICMP xxx.xxx.15.9 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 6:20:02 AM 2/2/2010 6:20:02 AM Denial of Service "Ping of Death" attack detected.
    4727 2/2/2010 6:30:32 AM Denial of Service Major Incoming ICMP xxx.xxx.14.29 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 6:29:26 AM 2/2/2010 6:29:26 AM Denial of Service "Ping of Death" attack detected.
    4728 2/2/2010 6:49:02 AM Denial of Service Major Incoming ICMP xxx.xxx.15.9 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 6:47:59 AM 2/2/2010 6:47:59 AM Denial of Service "Ping of Death" attack detected.
    4729 2/2/2010 7:04:55 AM Denial of Service Major Incoming ICMP xxx.xxx.14.26 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 7:03:54 AM 2/2/2010 7:03:54 AM Denial of Service "Ping of Death" attack detected.
    4730 2/2/2010 7:27:16 AM Denial of Service Major Incoming ICMP xxx.xxx.14.18 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 7:26:11 AM 2/2/2010 7:26:11 AM Denial of Service "Ping of Death" attack detected.
    4731 2/2/2010 7:39:51 AM Denial of Service Major Incoming ICMP xxx.xxx.14.18 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 7:38:47 AM 2/2/2010 7:38:47 AM Denial of Service "Ping of Death" attack detected.
    4732 2/2/2010 7:41:54 AM Denial of Service Major Incoming ICMP xxx.xxx.14.20 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 7:40:51 AM 2/2/2010 7:40:51 AM Denial of Service "Ping of Death" attack detected.
    4733 2/2/2010 8:02:16 AM Denial of Service Major Incoming ICMP xxx.xxx.1.24 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 8:01:13 AM 2/2/2010 8:01:13 AM Denial of Service "Ping of Death" attack detected.
    4734 2/2/2010 8:16:57 AM Denial of Service Major Incoming ICMP xxx.xxx.1.12 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 8:15:53 AM 2/2/2010 8:15:53 AM Denial of Service "Ping of Death" attack detected.
    4735 2/2/2010 8:18:34 AM Denial of Service Major Incoming ICMP xxx.xxx.8.29 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 8:17:28 AM 2/2/2010 8:17:28 AM Denial of Service "Ping of Death" attack detected.
    4736 2/2/2010 8:21:41 AM Denial of Service Major Incoming ICMP xxx.xxx.14.20 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 8:20:35 AM 2/2/2010 8:20:35 AM Denial of Service "Ping of Death" attack detected.
    4737 2/2/2010 8:25:03 AM Denial of Service Major Incoming ICMP xxx.xxx.1.12 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 8:23:58 AM 2/2/2010 8:23:58 AM Denial of Service "Ping of Death" attack detected.
    4738 2/2/2010 8:31:14 AM Denial of Service Major Incoming ICMP xxx.xxx.14.34 00-21-59-CC-F6-40 xxx.xxx.xxx.7 00-50-56-BA-63-EC  joe.user VRNTDOM1 Default 1 2/2/2010 8:30:11 AM 2/2/2010 8:30:11 AM Denial of Service "Ping of Death" attack detected.


  • 8.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 10:38 AM
     Can you disable Denial of service detection in SEPM on the affected servers for a day to corner out the cause.


  • 9.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 11:02 AM

    I just went to the server group,
    chose Intrusion Prevention Policy,
    edit,
    settings tab on the left menu, and unchecked enable intrustion prevention (automatically detects and prevents network attacks)

    Is that what you mean?
    I'll see what that does........... if that changes things, then this baby blocks ALL ICMP in the event of anything going wrong, and that's a bad thing........... as it should only block the attacker, not shut down all ICMP traffic.........

    We'll see what happens.



  • 10.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 11:09 AM
     


  • 11.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 11:23 AM

    Yes, but that doesn't say anything about blocking........... something is blocking ICMP after said detections.

    The line above that states "automatically....... and blocks......"

    I don't mind the identifying, I'm trying to figure what's blocking it.............

    It would seem that SEP is definitely involved - I"ll let it run a while with the first unchecked, and then if I see any more drops, check it again and uncheck the lower one.

    Now if it IS SEP doing this - this means there's a problem with SEP - as I'm not in any place telling it to block ANYTHING, esp ICMP. Detection is fine, but when blocking is not enabled or turned on, and things get blocked, that's a defect, IMO.

    Since I've unchecked the first box in that image, pings have been steady................ but 40 minutes isn't really a good test as at times, it goes hours with out dropping a ping. Only a full day will tell.



  • 12.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 11:39 AM
    PS = I have "active response" disabled...... the "Automatically block.............." is not checked.... and even if it was, it was set to 10 minutes and thepings only disable for a few seconds, not 10 minutes. (600 seconds)

    I've just attached another ZIP to the first post - showing screenshots of the supposed attack and how SEP shows it's not blocking anything.....
    They are RTF files with screenshots.


  • 13.  RE: NTP network activity - please educate me!

    Posted Feb 15, 2010 04:59 PM

    Well this is interesting.....
    With Intrustion prevention unchecked (the top box) it after a couple hours stopped pinging again.
    So, I enabled intrusion prevention again, and disabled denial of service detection and it pinged for about 3 hours..

    More tests, I'll leave denial of service detection unchecked and see if it will go a day or two, then check it again, and see if it will stop pinging again.

    SEP to the rescue - that's what's blocking our DC pings and probably causing our scripts and policies to fail - the clients can't ICMP ping the DCs and thus fail on the policies.

    So why is SEP choking? Dunno, but it is.

    Wireshark showed NO ICMP traffic at all while the pings were not making it, meaning the DC isn't even GETTING the ping request.
    For some reason, SEP is stating our clients are attacking the DCs, and then blocking ICMP pings! HOWEVER, there's NO logs of it blocking anything, and it never states it's blocking, and blocking is turned off..... and it's only supposed to block the attacker.  That "automatically block" box is NOT checked, and it's only supposed to block traffic from an attacker, not all computers.  Looks like a SEP bug again.

    Time to run this one up to the top! WOW.



  • 14.  RE: NTP network activity - please educate me!

    Posted Feb 16, 2010 02:07 PM

    It's been long enough to be able to safely assume - it was SEP's "denial of service detection" (as shown above red circle) that is blocking ICMP pings to and from ALL COMPUTERS ANYWHERE every so often.

    I've disabled, unchecked that box circled in red above and I've gone nearly a full day without a single dropped packet.  To clarify as I think even Symantec folks misunderstand - this is not just blocking from the "supposed attacker", it's blocking ALL ICMP traffic to and from the DC when this happens, NOT just the single computer doing the so-called attack, but ALL computers around the whole world, even other servers on the same network. So it's not just doing a job, it's going above and beyond, especially when I have the "block...." turned off or unchecked.

    So this seems to be a problem with SEP.  We've got TWO issues:

    1. most of our computers at random and with no predictability or pattern seem to trigger SEPs DOS detection

    and worse

    2. SEP's reaction is to simply block all ICMP/ping traffic to and from the domain controller when this happens. NOT just the computer it thinks is attacking, and from looking at sniffs, I do not believe that there even is any attack.



  • 15.  RE: NTP network activity - please educate me!

    Posted Feb 16, 2010 02:44 PM
    I have seen these Detection with multiple pings with -t option.So when it blocks the pings does it block for particular amount of time or for any random amount of time ?


  • 16.  RE: NTP network activity - please educate me!

    Posted Feb 16, 2010 03:06 PM
    But the -T option should not give fragmented packets or 50 packets per second......... should it?

    This is my understanding of what SEP sees as a DOS,

    The criteria for the Ping of Death detection are the following: 
    50 packets / second  ICMP Packet AND >= 512 bytes AND (ICMP Ping OR IP Fragment)


    although I frankly don't understand it and if looking at a trace, wouldn't know what to look for.
    I'm not a network expert, I just play one from 7am to 4:30pm............

    Of course, XP by nature pings the DC with ICMP, first a 0 byte, then a 2048 packet to determine "link speed".
    What if XP kept doing this, thinking it was not getting a response?

    The 2048 meets the >=512 bytes and it's an ICMP ping.


  • 17.  RE: NTP network activity - please educate me!

    Posted Feb 16, 2010 03:31 PM
    From ShadowsPapa's posts, I think its pretty clear that something is broken in either the way SEP detects the ICMP attacks or its response to them (blocking all ICMP instead of just the source).  Then again, if ICMP attacks were distributed, which would probably be required to actually break an up-to-date box, maybe that action is by design but not documented?  Just a theory.


  • 18.  RE: NTP network activity - please educate me!

    Posted Feb 17, 2010 08:32 AM
    Yes, I think you have hit my points........
    I believe it's possible that something is terribly wrong in SEP, here's what we have:
    A. I've found, in wireshark captures, no machine that comes very close to meeting their requirement for DOS attacks.
    B. SEP almost every day, sometimes many times a day, reports in the IPS log that a DOMAIN CONTROLLER (not any other server) has been attacked by one of our computers.
    C. SEP doesn't just block THAT attacking computer, it blocks ALL ICMP to or from ANY source on our network.
    D. SEP is NOT setup to block - the box for blocking an attacker for the (default of 600 seconds) set number of seconds is NOT checked.
    E. Unchecking IPS's DOS attack mode means the domain controllers will ping all day long without dropping a single packet!

    So:
    SEP is probably or possibly triggering on DOS when there is no DOS
    SEP is blocking ALL ICMP traffic when all it's supposed to do it block an attacker.

    SEP is broken in either both of the above or at least the bottom line......... I can't yet find proof of any attacks........ so it might be broken in two places.


  • 19.  RE: NTP network activity - please educate me!

    Posted Feb 22, 2010 05:09 PM

    I've got a ton more information on this issue...........
    It would "appear" that SEP blocks not on IP, but on MAC address.
    All of our computers run through a common switch. SEP shows the switch's MAC as the mac of all computers, even those it believes are attacking.

    SEP is set to not block, that option is unchecked. IT does block, however, but it blocks only for rougly 15 to 20 seconds - here is an ongoing ping snippet when  SEP triggered and started blocking - that's the length of time, and it blocks ALL ICMP pings, probably because it's blocking the core switch MAC and not an IP address. This is my workstation pinging the DC when the so-called attack occurred:
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=19ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=2ms TTL=127
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Reply from XXX.XXX.XXX.XX: bytes=32 time=1ms TTL=127
    Further, I setup SEP firewall to log all ICMP packets and enabled DOS detection. I did not have to wait long - in 15 minutes, a DC stopped pinging and SEP logged an attack. However, an export of the firewall log to CAP format, then viewed in wireshark showed no pattern of attack, no long list of fragmented packets. It did show a lot of fragments, but from 2 or 3 sources. This makes me think that SEP is seeing the fragmented packets from 2 or 3 cxomputers, and sees the SWITCH MAC, and assume THAT MAC is attacking it, but gives it a single IP address of the first machine with fragmented packets.
    So we have two issues with SEP.
    SEP is falsly triggering.
    SEP is blocking based on the MAC address of the core switch and not hte machine.
    SEP is blocking when blocking is turned off or not enabled.
    Now another issue- It seems we have some MTU issues here, and it's impacting VPN clients the worst, then clients coming down the ASA established tunnels. We seem to have a place where instead of reporting destination unreachable, please fragment packet, it's not responding and pings of a certain size are simply being dropped.
    Note below - I should never get a timeout but should always get a packet needs fragmenting reply.......
    J:\>ping -f -l XXXX XXX.XXX.XXX.XX
    Pinging XX.XXX.XXX.XX with 1200 bytes of data:
    Reply from XX.XXX.XXX.XX: bytes=1200 time=111ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1200 time=41ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1200 time=39ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1200 time=38ms TTL=127
    Ping statistics for XX.XXX.XXX.XX:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 38ms, Maximum = 111ms, Average = 57ms
    NOTE THE TIMEOUT...........                                   ......note
    J:\>ping -f -l XXXX XX.XXX.XXX.XX
    Pinging XX.XXX.XXX.XX with 1300 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Ping statistics for XX.XXX.XXX.XX:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    Yet it goes here.......... so the fragmentation needed bit is not being sent, packets are being lost and dropped.
    J:\>ping -f -l XXXX XX.XXX.XXX.XX
    Pinging XX.XXX.XXX.XX with 1260 bytes of data:
    Reply from XX.XXX.XXX.XX: bytes=1260 time=103ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1260 time=40ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1260 time=51ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1260 time=40ms TTL=127
    Ping statistics for XX.XXX.XXX.XX:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 40ms, Maximum = 103ms, Average = 58ms
    J:\>ping -f -l 1406 XX.XXX.XXX.XX
    Pinging XX.XXX.XXX.XX with 1406 bytes of data:
    Reply from XX.XXX.XXX.XX: bytes=1406 time=90ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1406 time=32ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1406 time=30ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1406 time=29ms TTL=127
    Ping statistics for XX.XXX.XXX.XX:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 29ms, Maximum = 90ms, Average = 45ms
    J:\>ping -f -l 1407 XX.XXX.XXX.XX
    Pinging XX.XXX.XXX.XX with 1407 bytes of data:
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Ping statistics for XX.XXX.XXX.XX:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    J:\>ping -f -l 1407 XX.XXX.XXX.XX
    Pinging XX.XXX.XXX.XX with 1407 bytes of data:
    Reply from XX.XXX.XXX.XX: bytes=1407 time=129ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1407 time=66ms TTL=127
    Reply from XX.XXX.XXX.XX: bytes=1407 time=65ms TTL=127
    Reply from XX.XXX.X.XX bytes=1407 time=64ms TTL=127
    Ping statistics for XX.XXX.X.XX:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 64ms, Maximum = 129ms, Average = 81ms


  • 20.  RE: NTP network activity - please educate me!

    Posted Mar 01, 2010 10:38 AM
    Symantec has taken notice and is working dilligently on trying to figure out what's up......
    We've got probably 3 or 4 things going on, and among them is SEP not behaving as it should.
    The issue they are investigating includes:
    Why does SEP block anything when the block option is unchecked (it was blocking *all ICMP* for seconds not minutes and not just from the "attacker")
    and
    Why does SEP change how it blocks simply by moving the server to a different group, even though blocking and even IPS is totally turned off............ it went from blocking all for a few seconds, to blocking all for 10 minutes and logging the blocking activity, even though DOS and blocking was turned off totally.

    Stay tuned! This is bigger than we thought.


  • 21.  RE: NTP network activity - please educate me!

    Posted Mar 01, 2010 12:37 PM
    Well I might be wrong...but it looks like

    When DOS Detection is enabled- then whenever a DOS attack is encountered it drops those attacks just to make sure Server is not denied Server ( what is its purpose )

    When we check Automatically block attacker's IP address-- then it means after a DOS attack is detected and we have dropped the packets..do we want to block the IP address of the blocker for a specified amount of time.

    Even though it is unchecked. When a DOS attack is triggered it will drop those packets just to make sure server does not get affected by this attack.

    So to me it looks to be working as supposed to be..

    However the only False Positive being it detects 1 MAC address for all computers..


  • 22.  RE: NTP network activity - please educate me!

    Posted Mar 01, 2010 04:47 PM
    Snekul is actually in your state.  Maybe "buy" him lunch and if he's anywhere near you, you guys can exchange SEP notes.  I went to school not too far from Snekul's location - amazing how small this world is.

    Let me know where you are in this issue with regard to chatting with Symantec folks.  I can ping somebody if you're at a standstill.

    Best,

    Eric


  • 23.  RE: NTP network activity - please educate me!

    Posted Mar 01, 2010 04:59 PM
    This is with DOS disabled...............at least now it is.
    They had me create a test group, and for this and other testing, I used SEPM to disable NTP and I unchecked everything under IPS, including detect DOS.
    It still detects DOS, and now it blocks for 10 minutes!
    In the old group, it blocked, but only for a few seconds. However, it's not really even being attacked.

    So, in group 1 - with blocking turned off, it blocked for several seconds.
    In group 2, with DOS detection AND blocking turned off, it blocks for 10 minutes!
    It's broken either way - DOS is turned off so there should be no DOS detection.
    And in group 2, it's telling me in the logs it is blocking for 10 minutes, and that's with blocking AND DOS detection disabled.
    I think that double-whammy is what got their attention..........
    It should not dected DOS with DOS disabled.
    Active blocking for 10 minutes should not happen if blocking AND Dos is disabled.
    And it acts differently in each group.


  • 24.  RE: NTP network activity - please educate me!

    Posted Mar 01, 2010 05:05 PM
    >>Snekul is actually in your state. <<

    State of Confusion? LOL  J/K  Go Panthers!  ;-)

    Actually, it would be wonderful if a Symantec engineer actually SAW this firsthand!
    A. They could see how good or bad our settings are, and the impact they may or may not have
    B. They could see all the events that take place AS they take place (I'm running 2 computers with dual monitors AND remoted into a server running tests on that machine AND running diagnostics over the web - it's impossible to convet all these gigs of info........)

    I have exported our policies in full as well as all logs.......... and filled out two pretty good messages on our configuration. I think I really have development stumped. But this isn't the first time. I did it years ago and ended up "meeting" a really terrific developer there.
    We've been at this over a week, trace logs, SEPM logs, policy exports, screen shots, etc.
    It's really overhwhelming and I would buy coffee for the Symantec engineer/expert that came in, checked this out and solved this mystery!
    I honestly believe it's at that level now........
    Kudos to Cass, he's REALLY trying!


  • 25.  RE: NTP network activity - please educate me!

    Posted Mar 01, 2010 06:56 PM
    We've actually already met at a user's group meeting.  Too bad I couldn't make the last one, silly credit card security stuff!