Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP vs. Brightmail and a DNS DoS "detection"

Created: 22 May 2010 | 8 comments

With DoS protection enabled on SEP 11.06A we're having an ironic problem on a customer's DNS server.  IPs assigned to Symantec Brightmail (143.127.103.16 (brs-dns.dc3.brightmail.com), 216.250.24.88 (brs-dns.dc2.brightmail.com)) are causing this:

Denial of Service "UDP Flood Attack" attack detected.
Description:
 An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.

The customer runs Symantec Brightmail Gateway 9.0.0 on a different system on the LAN but the SBG points to the DNS server for DNS information. 

Furthermore, the log from SEP is incorrect. This server never even blinks on CPU usage, perhaps 5% max and I've been monitoring it for a day and have yet to see a 100% CPU spike. 

Questions:

1) Why is SEP creating erroneous logs regarding CPU usage?

2) Given the irony that a Symantec antispam system is apparently not compatible with a Symantec security product, is there no way to "whitelist" the Brightmail IPs?  Obviously blocking IPs that provide antispam DNS information (SBG 9 relies heavily on DNS for spam reputations) isn't a good thing so allowing connections to/from Brightmail IPs is a priority.

Thanks...

Comments 8 CommentsJump to latest comment

teiva-boy's picture

Is it IPS creating the messages?  Then create an exclusion for that host in the IPS policy

SEP and Brightmail not being "compatible," there is nothing farther from the truth.  SEP is looking at traffic patterns and doing deep inspection of payloads, and has no clue that it's brightmail or linux, only that it's a DoS attack of a certain type and possible ramifications.

Perhaps if it's an internal DNS server, you shouldnt have NTP installed?  While Symantec will recommend NTP on servers, if internal, and not used as a workstation, and you have good patching polices, NTP use could be mitigated by actual security processes and policies.  I'd even go as far as making a DNS server if Win2k8, a core server with AD and DNS running..  No GUI, and less services to minimize attack risks.

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

Terabyte Computers's picture

Actually, it's very simple for a firewall to know where traffic is coming from and whitelist the IPs.  Brightmail can do that with ZERO problem.  The fact is theres a problem in 11.06 that didn't exist in 11.05 and before.  As for Core vs. somethign else, that's moot as it's not the OS that's the problem, it's SEP 11.06A thinking traffic coming from Brightmail is a probelm.

BTW, it's ONLY Brightmail IPs causing this.  Not a single other IP anywere in the world querying this DNS server, a public facing DNS server I might add sitting behind a Cisco ASA firewall also doing IPS detection, has cause this alert so there's either something up with Brightmail's DNS servers or SEP.

Mick2009's picture

Hi Terabyte Computers,

A couple of other SEP 11 RU6 users have also seen and reported this, so Symantec is looking into it.  Here's another forum thread on this subject: http://www.symantec.com/connect/forums/endpoint-11...

The Denial of Service detection type "UDP Flood Attack" is a new feature added in SEP 11 RU6.  The criteria for triggering this detection will be refined and improved in a future release of SEP.

The message about this attack probably states what an attack intends with that attack, rather than an event that has abolutely already been seen.

If you are 100% convinced that this is a false positive, you can add the IP addresses of DNS servers to the Intrusion Prevention policy Excluded Hosts list.  When the release of SEP which contains the improvement is released, I recommend removing the DNS server's IP!

Please let the forum know if this ansswers your question, or do keep the forum up-to-date with any additional queries and with your progress!

Thanks and best regards,

Mick

With thanks and best regards,

Mick

Terabyte Computers's picture

"The message about this attack probably states what an attack intends with that attack, rather than an event that has abolutely already been seen."

Actually, logs show the IPs actually causing an attack and that they are blocked.  I had to turn off IPS.  Time to rethink this for 11.07.

Terabyte Computers's picture

Where do I add this?  I don't seem to see the option to add the exclusion.  BTW, if I can't be 100% sure about Brightmail's IPs then it's time to dump both products wouldn't you think???

Mick2009's picture

Hi Again,

The Excluded Hosts option is disabled by default.  In the SEPM, just open up the IPS policy, Settings, and "enable excluded hosts."  Then specify the IP address of the one which believe to be a False Positive.

The following article contains some additional information:  Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.  (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010050107362048)

Hope this helps!

Mick

With thanks and best regards,

Mick

Terabyte Computers's picture

This box is unmanaged, no SEPM on the LAN.  The rest of their LAN is still on 10.1.7 as they have no box capable of devoting/wasting the 500MB-1GB of RAM that SEPM requires when 10.1.7 requires little more than 60MB to run the management server.

Can I whitelist in the unmanged client or is it time to dump SEP?

Terabyte Computers's picture

Mick,

No word on this?  It's been 6 weeks.  Does Symantec intend to ignore this issue like it ignores so many others like XFER temp files and the like?  The fact is your products do not work properly together.  SEP 11.06a whines constantly about Brightmail IPs and even if this were managed the IPs change and I can find no list of the entire Brightmail range to exclude.  If you'll provide that list I'll figure out how to get these managed, if not I guess it's time to dump SEP and go to McAfee or Trend.