After upgrading from 11.0.6 MP1 to 11.0.6 MP3, I started receiving many alerts about UDP Flood Attacks.  Most of them are coming from external users, and mainly from home routers (192.168.x.x IPs), many of whom are connecting with VPN. 

The exact message is

I have tried loosening the alert notification conditions, but it still seems to happen very often.

I have recently updated to 11.0.7, which states that this problem has been specifically addressed, but as of several minutes ago, I have received two identical alerts from two different users/machines, both of them being on completely different home networks.

I have been following some threads on this, such as :

https://www-secure.symantec.com/connect/ideas/increase-denial-service-udp-flood-attack-threshold

and

https://www-secure.symantec.com/connect/forums/false-positive-dos-attack-udp-flood-attack-sep-ntp

They are helpful, but it seems they are labelled as "update to version X, as it is fixed", but it still seems to be a problem.

Adding exclusions for all the various external users is not a viable option, as we have users that work from home, travel, etc. so their source IPs are never static, nor would we want to open up ourselves to that kind of trouble.

Any help would be great.

Any further information I can provide, I would be glad to do so.
 

Thanks,

-Nate
 

Unexpected outbound Denial of Service (DoS) attack

All your clients that throw this alert are v.11.0.6300.803 or later?

Just wanted to clarify. I encountered this issue frequently after I upgraded from RU5 to RU6 (MP1a). Upgrading the clients to RU6 MP3 actually resolved the issue for me.

Rafeeq, thanks for the link to turn off the DoS entirely.  This will be a absolute last step sort of thing, as I like having the DoS protection, and turning it off is more of a workaround then a solution.

I was not aware that the clients had to be updated to the newest version.  From what I could tell, it seemed the console was the trouble.

I originally updated just the console to 11.0.6 mp3, leaving the clients at 11.0.6 mp1 and then I was slowly pushing out the clients, but clients that were still on mp1 seemed to have the alert (I did it by office, and all of the offices were reporting DoS and UDP flood attackes, etc.

I will now push out the newest 11.0.7 clients to each office and see if that resolves it.   Hopefully it is something as simple as this!

It's definitely a client-side issue. Here's the fix notes from the MP3 Release Notes:

This was a bit strange to me at first, because I did not have the trouble before I updated the Console.  I updated very few clients but clients that were reporting it were all mixed versions, not just MP1 or the updated ones.  Its like the clients previously had the capabilities to report them, but the console update unlocked/stopped ignoring them.

I saw these release notes, so this is why I upgraded the Console (again, wrongly assuming that the Console was the problem).
Now it makes more sense, as the clients will tell the server about the attack.

Thanks for the info.