SEP vs. Brightmail and a DNS DoS "detection"
With DoS protection enabled on SEP 11.06A we're having an ironic problem on a customer's DNS server. IPs assigned to Symantec Brightmail (220.127.116.11 (brs-dns.dc3.brightmail.com), 18.104.22.168 (brs-dns.dc2.brightmail.com)) are causing this:
Denial of Service "UDP Flood Attack" attack detected.
An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.
The customer runs Symantec Brightmail Gateway 9.0.0 on a different system on the LAN but the SBG points to the DNS server for DNS information.
Furthermore, the log from SEP is incorrect. This server never even blinks on CPU usage, perhaps 5% max and I've been monitoring it for a day and have yet to see a 100% CPU spike.
1) Why is SEP creating erroneous logs regarding CPU usage?
2) Given the irony that a Symantec antispam system is apparently not compatible with a Symantec security product, is there no way to "whitelist" the Brightmail IPs? Obviously blocking IPs that provide antispam DNS information (SBG 9 relies heavily on DNS for spam reputations) isn't a good thing so allowing connections to/from Brightmail IPs is a priority.