Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP IPv6 packets firewall issues

Created: 06 Jul 2010 • Updated: 18 Sep 2010 | 10 comments
Kevin McGrail's picture
This issue has been solved. See solution.

On my home network with Verizon FIOS, I get errors where SEP picks up the router as a denial of service attack and blocks the router killing my internet.  If I disabled Network Threat Protection, I immediately have internet again.  The logs show nothing except IPv6 packets which I have set to "allow".  What is going on?

Comments 10 CommentsJump to latest comment

AravindKM's picture

Which is the version you are using?
Try by disabling DOS attack detection....

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Thomas K's picture

Is this a managed or unmanaged client? You might also try searching the Verizon forum for users experiencing the same issue.

http://forums.verizon.com/

Jeremy Dundon's picture

If it is RU5 (11.0.5xxx) or earlier then it is most likely Anti-Mac Spoofing that is the cause.

RU6 has the DOS attack detection issues.

Kevin McGrail's picture

This is a managed client version 11.0.6005.562. I believe this is MR6.

My router is on 10.10.11.10 and it's being picked up as a DOS as shown in the picture below:

From the logs, I have:

Denial of Service "UDP Flood Attack" attack detected.
Description:
 An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.

Something tells me this is a false positive or some type of incompatibility.  Anyone seen anything like this?

sandra.g's picture

This looks to be an issue currently under investigation:

Title: 'Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.'
http://service1.symantec.com/SUPPORT/ent-security....

sandra

ps. Does adding the IP to the Excluded Hosts list alleviate the issue? (Intrusion Prevention policy > Settings > Enable excluded hosts, add your router's IP.)

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

SOLUTION
Kevin McGrail's picture

Thanks Sandra,

I came accross the same conclusion on this thread. at https://www-secure.symantec.com/connect/forums/sepv11-dos-ips-logs-after-upgrading-clients-ru6

I currently added my router (and a few defaults like 192.168.0.1) to the excluded list for the IPS policy.  I'll follow-up in a few hours if this helps.

Regards,
KAM

Kevin McGrail's picture

Adding my router address to the excluded IPS policy resolved my issue.  Thanks!  This is definitely the MR6 release triggering a DoS signature coming from my own firewall.  From reading, it has to do with DNS lookups.

Regards,
KAM

sandra.g's picture

Glad to hear it!

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Kevin McGrail's picture

We are having the same issue as previously mentioned with an unmanaged client.  How can we exempt that client from IPS on the router?

sandra.g's picture

It doesn't look like excluded hosts are an option via the SEP client interface (for unmanaged clients).  You'll probably need to do the following, from the document linked above:

The most viable workaround for this issue is to disable the Denial of Service Protection functionality either via Symantec Endpoint Protection Manager Intrusion Prevention policy, or by disabling Denial of Service Protection via the Symantec Endpoint Protection client User Interface (available on Client Control managed clients or on unmanaged clients).

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!