Endpoint Protection

 View Only

  • 1.  Denial of Service "Smurf" attack detected

    Posted Jan 09, 2013 05:54 AM

    We provided a freshly imaged desktop to an employee who started receiving following notification from SEP12 network threat protection log,

    Denial of Service "Smurf" attack detected

     

    The direction is outgoing (from his machine) to s machine (another user PC) which is in a totally different subnet.

    As an example originating IP is : 10.x.x.x and the remote host is 172.X.X.X

    The protocol is ICMP

    I am pretty sure this is false positive, but like to understand what Symantec may have detected as a Smurf attack ?

    Is it DHCP traffic ? Even if it is DHCP traffic, the remote host is a PC (not a server)

    I like to hear explanations on how this could have happened.

     

    Thanks

     

     



  • 2.  RE: Denial of Service "Smurf" attack detected

    Posted Jan 09, 2013 05:59 AM

    HI,

    Check this artical

    Demystifying Denial-Of-Service attacks, part one

    https://www-secure.symantec.com/connect/articles/demystifying-denial-service-attacks-part-one

    Check this thread

    https://www-secure.symantec.com/connect/forums/denial-service-how-add-host-exeptions

     

    Vikram Kumar-SAV to SEPSYMANTEC EMPLOYEEACCREDITED
    25 May 2010 : Link

    You have to Login to the server on which the SEPM is installed.
    TO check where your SEPM is open SEP - Help and Support - Troubleshooting

    it will show you the server name or IP.

    If you do not have access to the SEPM server then

    Open SEP client- Network Threat Protection -Options -Change Settings- Intrusion Prevention -
    and from there you can disable Denial of Service detection.

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20611



  • 3.  RE: Denial of Service "Smurf" attack detected

    Posted Jan 09, 2013 06:02 AM

    It sounds like a possible falso positive. You would need to scan the machine causing the DoS to ensure it is not infected with something. Basically a large amount of ICMP packets are sent. SO for example if someone did a ping -l 65000 [hostname] this could cause it



  • 4.  RE: Denial of Service "Smurf" attack detected

    Trusted Advisor
    Posted Jan 09, 2013 11:59 AM

    Hello,

    Check the Article below. It describes DOS attacks and how they work.

    If you can understand how they work then you will understand how to protect yourself against them. Look at the SMURF attack part specfically.

    https://www-secure.symantec.com/connect/articles/demystifying-denial-service-attacks-part-one

    The steps you need to take to protect yourself from SMURF attacks can be done more through your operating system rather than your Anti-Virus software. Again that information can be taken from the article above. 

    Hope that helps!!