Endpoint Protection Small Business Edition

 View Only
Back to discussions
Expand all | Collapse all

SEP IPv6 packets firewall issues

  • 1.  SEP IPv6 packets firewall issues

    Posted Jul 06, 2010 10:27 AM

    On my home network with Verizon FIOS, I get errors where SEP picks up the router as a denial of service attack and blocks the router killing my internet.  If I disabled Network Threat Protection, I immediately have internet again.  The logs show nothing except IPv6 packets which I have set to "allow".  What is going on?


  • 2.  RE: SEP IPv6 packets firewall issues

    Posted Jul 06, 2010 10:38 AM
    Which is the version you are using?
    Try by disabling DOS attack detection....


  • 3.  RE: SEP IPv6 packets firewall issues

    Posted Jul 06, 2010 11:31 AM
    Is this a managed or unmanaged client? You might also try searching the Verizon forum for users experiencing the same issue.

    http://forums.verizon.com/


  • 4.  RE: SEP IPv6 packets firewall issues

    Posted Jul 06, 2010 07:01 PM
    If it is RU5 (11.0.5xxx) or earlier then it is most likely Anti-Mac Spoofing that is the cause.

    RU6 has the DOS attack detection issues.


  • 5.  RE: SEP IPv6 packets firewall issues

    Posted Jul 07, 2010 11:41 AM
    This is a managed client version 11.0.6005.562. I believe this is MR6.

    My router is on 10.10.11.10 and it's being picked up as a DOS as shown in the picture below:



    From the logs, I have:

    Denial of Service "UDP Flood Attack" attack detected.
    Description:
     An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.

    Something tells me this is a false positive or some type of incompatibility.  Anyone seen anything like this?


  • 6.  RE: SEP IPv6 packets firewall issues
    Best Answer

    Posted Jul 07, 2010 12:23 PM
    This looks to be an issue currently under investigation:

    Title: 'Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.'
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010050107362048

    sandra

    ps. Does adding the IP to the Excluded Hosts list alleviate the issue? (Intrusion Prevention policy > Settings > Enable excluded hosts, add your router's IP.)


  • 7.  RE: SEP IPv6 packets firewall issues

    Posted Jul 07, 2010 01:00 PM
    Thanks Sandra,

    I came accross the same conclusion on this thread. at https://www-secure.symantec.com/connect/forums/sepv11-dos-ips-logs-after-upgrading-clients-ru6

    I currently added my router (and a few defaults like 192.168.0.1) to the excluded list for the IPS policy.  I'll follow-up in a few hours if this helps.

    Regards,
    KAM



  • 8.  RE: SEP IPv6 packets firewall issues

    Posted Jul 13, 2010 08:05 AM

    Adding my router address to the excluded IPS policy resolved my issue.  Thanks!  This is definitely the MR6 release triggering a DoS signature coming from my own firewall.  From reading, it has to do with DNS lookups.

    Regards,
    KAM


  • 9.  RE: SEP IPv6 packets firewall issues

    Posted Jul 13, 2010 10:12 AM

    Glad to hear it!

    sandra


  • 10.  RE: SEP IPv6 packets firewall issues

    Posted Aug 15, 2010 01:25 PM

    We are having the same issue as previously mentioned with an unmanaged client.  How can we exempt that client from IPS on the router?


  • 11.  RE: SEP IPv6 packets firewall issues

    Posted Aug 16, 2010 11:21 AM

    It doesn't look like excluded hosts are an option via the SEP client interface (for unmanaged clients).  You'll probably need to do the following, from the document linked above:

    The most viable workaround for this issue is to disable the Denial of Service Protection functionality either via Symantec Endpoint Protection Manager Intrusion Prevention policy, or by disabling Denial of Service Protection via the Symantec Endpoint Protection client User Interface (available on Client Control managed clients or on unmanaged clients).

    sandra