Endpoint Protection

 View Only

  • 1.  Ping of Death DOS Attack with LANDesk 9 clients

    Posted Mar 05, 2010 08:30 PM
    Hello,

    I've got an environment of XP SP3 laptops with MR4 clients that also run LANDesk for software management, etc. We just upgraded to LANDesk 9 and some of our users are getting lots of warnings about DOS attacks. The logs show it's an outgoing ICMP Ping of Death attack and the other IP belongs to a LANDesk server (not always the same server, though).

    Wanted to see if anyone has any experience with similar issues and/or similar setups. 

    Thanks,
    Kirk...


  • 2.  RE: Ping of Death DOS Attack with LANDesk 9 clients

    Posted Mar 06, 2010 01:47 AM
    There is obviously something about the LANDesk update that is being flagged now by SEP.  I would just create an exception to it, or trust the IP of your LANDesk server in IPS.  Put it in the whitelist in IPS. 


  • 3.  RE: Ping of Death DOS Attack with LANDesk 9 clients

    Posted May 20, 2010 04:01 PM
    In the LANDesk community, someone else reported this. "A Wireshark capture reveal a ping of 554 bytes then a ping of  1066 from the PC to all of our package servers." This maybe what is being detected and perhaps should be put on a whitelist as the previous poster mentioned.


  • 4.  RE: Ping of Death DOS Attack with LANDesk 9 clients

    Posted May 21, 2010 12:23 AM
    You could convert to Altiris wink  LOL
    Just kidding.

    You should also open a case with LANDesk so that they are aware of this.  SEP may not be the only product to detect this as a DOS attack, and they should investigate and test.  They are usually pretty good about KB articles and updates.  Now if only they had better management in the Utah office...


  • 5.  RE: Ping of Death DOS Attack with LANDesk 9 clients

    Posted May 21, 2010 08:44 AM
    SEP has a weak spot there. It detects a lot of thngs as DoS.
    In fact, our DCs kept showing they were being attacked by our own clients. SEP detects so many packets in a second, and blocks traffic. Problem is, it's not caring where the packets were coming from.
    We finally had to disable DOS detection on the DCs, there was no other way around it.
    I was running some test software here, too - load testing software to keep track of some network issues, SEP kept detecting it as DOS.
    IMO, sep is a bit over-zealous on this detection, a bit too sensative. The other side is that even with the blocking turned off, SEP STILL blocks ALL ping traffic for several seconds! So there's no way around it in our case other than simply not run DOS detection on the DCs
    I've got a couple big threads here on the subject. Even had a couple of cases open on it, and it ended up being flagged as "as designed, not a bug".
    LOL, ok.............. but how about letting US "tune" the threashold on it then?