Video Screencast Help

Increase the Denial of Service UDP Flood Attack Threshold

Created: 03 May 2010 • Updated: 20 Jul 2011 | 17 comments
CDW-PublicInterest's picture
21 Agree
0 Disagree
+21 21 Votes
Login to vote
Status: Implemented

Starting with Symantec Endpoint Protection RU6 and continuing in RU6A, the "UDP Flood Attack" threshold is set too low.  Denial of Service notices\responses are being triggered to cause an Active Response block for legitimate DNS servers.  Adding an exception is not a valid solution since we can not add exceptions for every users home network.  One of the two following solutions should be implemented:

  • Increase the threshold
  • Allow the customer to have an option to set this threshold manually

Comments 17 CommentsJump to latest comment

JimW's picture

I am checking to see how this is being resolved.

Jim Waggoner Director Product Management, Symantec Endpoint Protection, Enterprise Security Group, Symantec

+1
Login to vote
CDW-PublicInterest's picture

Hi Jim,

Just an update for you.  DNS prefetching can be turned off in web browsers to help with this issue.  This may be something that support can inform customers of as an alternative solution.

Thanks for checking into this!!!

 cool By the way...hope you had fun in Vegas!

+2
Login to vote
PrimeInc's picture

This is a Royal Pain in the you know what.   I've had to disable the DoS protection for a large number of machines due to this issue.  Every machine we updated to 11.6 triggers this IPS, and then their DNS is blocked for 10 minutes.

I can't add thousands of DNS server IP addresses to the exceptions.  I got tired at 30 and just disabled this feature all together.

If my PC makes an outgoing DNS UDP connection to a server, the single DNS response to my query should not be considered in any attack count.   I understand you are probably trying to protect against the Dan Kaminsky DNS exploits however you are knocking all my PCs off the network by blocking all their DNS.  Causing more harm than good.

+1
Login to vote
pebcak's picture

...can a fix be expected?  This is quite an issue.

Senior Consultant @ Creative Breakthroughs, Inc. a Symantec Platinum Partner

http://www.cbihome.com/

+1
Login to vote
Symanticus's picture

Yes I also facing the same problem guys, wondering when this will be fixed too :-o

/* Infrastructure Support Engineer */

+1
Login to vote
Gubben's picture

Hoping for a solution!

+1
Login to vote
CDW-PublicInterest's picture

Check out this thread here (http://www.symantec.com/connect/forums/endpoint-1106-false-denial-service-attacks-dns-servers).  It appears that SEP 11 RU6 MP1 is being released to take care of this issue!

+1
Login to vote
Paul Murgatroyd's picture

This was fixed in SEP11 RU6 MP1

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

0
Login to vote
Nate S's picture

Is it re-broke in the latest update?

 

I am using 11 RU6 MP3 and I get these alerts all the time (many right in a row from a single machine).

I never experienced it until I updated to 11RU6 MP3.  My console version is 11.0.6300.803.

It doesnt seem to matter if they are local users or remote users, but it seems the trend is remote (work from home) users.

+1
Login to vote
aclee's picture
I am not an IT person; I am just an ordinary private user. I have switched to Symantec, only to encounter an endless procession of ten minute service denials on the grounds that I am suffering a "UDP Flood Attack". The Endpoint Protection firewall shut down my whole internet connection. This even happened during my google attempts to discover what exactly a UDP Flood Attack is. I have been forced to disable Symantec's Endpoint Protection completely and I have reverted to Windows Defender as my firewall; it is perfectly obvious that any anti-virus can protect my computer by completely disabling my network connection, but this solution is not actually very useful to me. I will be forced to move over to a different anti-virus if this problem is not resolved; saying "implemented" when no solution has been "implemented" is rather annoying, by the way.
 

__________________

0
Login to vote
Fabiano.Pessoa's picture

Hi,

It may be more strange is the right limit and not increase the limit.
DoS attack always limit access or create rules, how can Mr. done by iptraf on linux.
Perform a port scan to see which one is being attacked more
If possible switch ports
It's like using a limit order on the web. Also limit access

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

0
Login to vote
Fabiano.Pessoa's picture

Hi,

If you're using linux, create a rule with IPTABLES using iptraf.
Identify the IP attacking you and use the following command in iptraf

iptables -I INPUT-s [IP] -j DROP

I doubt he can make an attack on you or any other machine on your network.

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

0
Login to vote
aclee's picture

Hello Fabiano and thanks for giving me your time and your help on this.

I am using Windows PC and my browser is Firefox. I never had these Denial of Service attacks when I was on Norton or when I was on Avira; literally, as soon as I installed Symantec, this stuff started. I am very sceptical that anyone is attacking my computer; I think this anti-virus is shutting down my internet connection over and over and over for no valid reason.

I can't say I feel impressed.

Just in case I am traducing Symantec I would be grateful for suggestions on how I can check whether I really am being targeted by a DOS attack after all. Otherwise, how do I deal with this undesireable feature of Symantec shutting down my internet connection for my own good?

 

 

0
Login to vote
Fabiano.Pessoa's picture

Hi,

Unmarking the Enable denial of service detection" option in Intrusion Prevention Policy Settings will resolve this issue. But it is a work around not the solution.
 
The job of Automatically block an attacker's IP address is to Block all the communication from a source host for the specified number of seconds when the client detects an attack. For example, if the client detects a denial-of-service attack, the client blocks all traffic from the originating IP address. This feature is also called active response.This option is enabled by default in the SEPM
 
What you can do is  Exclude the False Positive  in the Intrusion prevention rule
 
Title: 'How to add an exception for Intrusion Prevention Policy to allow a specific ID through Symantec Endpoint Protection Manager'
Document ID: 2009110213020648
Web URL: http://service1.symantec.com/support/ent-security....
 

I'll pass to you also some penetration testing you to accomplish and see if your machine is vulnerable, ok?

Hugs and tell me.

Fabiano Pessoa

Systems Analyst - Forensic Expert

0
Login to vote
Fabiano.Pessoa's picture

Hi Aclee,

I promise to help it, ok?
Your operating system is windows, right?
Do you know conduct CMD commands in windows?
If you do not understand much, okay. Your windows is XP or seven?
Reply me so that I can help you.

hugs

 
 

 

Fabiano Pessoa

Systems Analyst - Forensic Expert

0
Login to vote