Endpoint Protection

 View Only

  • 1.  ping of death coming from everywhere suddenly??

    Posted Apr 07, 2009 07:46 AM
    Guys - what's up with:
    Event Time Event Type
    Severity
    Number    		 Domain
    Server
    Group    		 Computer
    IP Address
    Operating System    		 Client User Name
    Location    		 Protocol
    Direction    		 Remote host
    Remote IP address    		 Event Description
    04/06/2009 16:09:33 Denial of Service
    Major
    1    		 IVRS-SEP1
    VRDSMSEP1
    My Company\Servers    		 VRxxxxxx
    111.222.990.20
    Other    		 Bill.Dickerson
    Default    		 ICMP
    Inbound    		  
    11.222.8.11

    Denial of Service "Ping of Death" attack detected. Description: In a Ping of Death attack, the hacker uses a packet with a size that is larger than the normal standard. When your system encounters a packet of this size, it often crashes, hangs, or reboots.


    I've seen 4 dozen of these in the last 4 hours. Suddenly, I'm seeing it from EVERYWHERE! Even normally functioning computers.
    Now I admit, we've had to disable a LOT of SEM on servers because, well, for the last 2 days, 10 hours a day, Microsoft has been attempting to help us with SEVERE issues. And they say that "SEP is causing a lot of this, and Symantec has told us they know about it".
    So they move the SNAC network driver DOWN to the bottom of the provider list, disable some drivers for testing, etc. and wow, are we facing issues!
    Besides this ping of death coming from everywhere - supposedly, I personally think it is a FALSE ALERT!, but yesterday every time Microsoft tried to copy a CAP file from one server to our file server for a transfer to Microsoft, it crashed the file server!
    Yes, attempting to copy their CAP (a trace file) from a DC to our file server, the file server quit responding and locked files.
    Interesting. Microsoft responded "yes, we've seen a lot of this, it's SEP and Symantec knows it".  The techs didn't hesitate at all - when they first started testing and saw all sorts of weird things, the first things from their mouth "are you running Symantec versin 11? I said yes, they said "we see a lot of this".
    Anyway, is this ping of death also a SEP false alert or side effect of moving the SNAC provider down in the network provider list? MS claims the SNAC driver is what's causing a lot of our issues, possibly even the one above.
    I can't have all these alerts filling logs, plugging email and causing panic here. It just started YESTERDAY, possibly when a DEFS update came out, but can't prove it.

    What can be done?



  • 2.  RE: ping of death coming from everywhere suddenly??

    Posted Apr 07, 2009 07:50 AM
    Here's another one - constant hammering in the logs "ping of death" coming from many many computers. All supposedly aimed at DC2.
    DC2 is a domain controller/DNS server and we've done a lot of testing with it, including disabling most SEP related drivers due to issues with DNS and other crazy things, but this is REALLY weird.

    VRDSMDC2
    165.206.190.20
    Other    		 Bill.Dickerson
    Default    		 ICMP
    Inbound    		  
    10.252.1.26

    Denial of Service "Ping of Death" attack detected. Description: In a Ping of Death attack, the hacker uses a packet with a size that is larger than the normal standard. When your system encounters a packet of this size, it often crashes, hangs, or reboots


  • 3.  RE: ping of death coming from everywhere suddenly??

    Posted Apr 13, 2009 03:22 PM
    "So they move the SNAC network driver DOWN to the bottom of the provider list, disable some drivers for testing, etc. and wow, are we facing issues!"

    Please mention what driver they moved to the bottom of the provider list. and what drivers they disabled

    "DC2 is a domain controller/DNS server and we've done a lot of testing with it, including disabling most SEP related drivers due to issues with DNS and other crazy things, but this is REALLY weird."

    what drivers were being disabled


  • 4.  RE: ping of death coming from everywhere suddenly??

    Posted Apr 13, 2009 03:36 PM
    For testing, they originally disabled everything "Symantec".
    That has all since been put back so SEP is again fully enabled, and all "Symantec related "drivers running again, even a server reboot.
    The network driver/provider they moved down was exactly as stated above - the "Symantec SNAC provider".
    Go to the network folder and highlight your network connection - ususally the name of the card used to get to the network, choose the menu option Advanced, then advanced settings then provider order tab.
    Microsoft techs are routinely telling folks to move the Symantec SNAC provider to the bottom, below Microsoft Windows network, Terminal services and so on.
    They claim this is known, and fixes some things - although were not specific.

    The drivers are all enabled again, it was SEP they were trying to kill without an uninstall, and they were successful, and it's all enabled again - but with that change in order listed above.

    I can get screenshots of that if needed.........
    The drivers were killed using the startup config tool to disable drivers and services for testing.

    I do NOT know if the provider order has any impact, but it's an interesting coincidence......... and maybe that is ALL it is?