Endpoint Protection

Hi I've been using Symantec for 2 years now with no problems really up until a month ago, everytime I'm on my laptop browsing the internet I see this message "Denial Of Service Logged" then I'm blocked from using my internet for 10 mins! I understand what it means but is there anyway it can be blocked without restricting my internet usage?

This setting can be configured from within the SEPM.

Also, what version are you on, 11.x or 12.1? There was a bug in an older version of 11.x that caused this and upgrading fixed it.

My version is 11.0.6005.562, when you say upgrade do you mean Live Update? Or like a product upgrade?

I'd have to go thru old release note but I do believe that version had the bug that caused a false positive DDoS. If you check in the Security log, is your DNS server being detected as the one causing the DDoS?

Yes, you would need to upgrade the product to a later version. The one your on is older. The latest for 11.x is RU7 MP3.

Check your security log, as mentioned by Brian it could be a bug in older version of SEP 11.

#updated

Hi,

As per the SEP 11 release notes there was a bug in a version prior to RU5.

Clients report Denial of Service attack (IP Fragmentation overlap) when no overlap is occurring
Fix ID: 1586674
Symptom: When connected over a VPN, a false positive Denial of Service detection (IP fragmentation overlap) causes the Web site to be blocked for 10 minutes.
Solution: Corrected how the last IP fragmentation packet is identified to properly calculate the packet length

Reference: http://www.symantec.com/docs/TECH103087 

Also check this article:

Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.'

http://www.symantec.com/docs/TECH132161

It should block an attacker's IP address for 10 minutes not the internet access.

Could you please confirm you are not able to access internet for 10 minutes if DDos attacked is detected?

However it's always recommended to use latest the SEP version. The latest SEP version are SEP 11 RU7 MP3 & SEP 12.1 RU2.

Hello,

Confirmed.!!

This was one of the known issues with Symantec Endpoint Protection (SEP) 11.0.RU6a.

It is recommended to Migrate to the Latest Version of SEP 11.0.7303

Check this Article:

Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.'

http://www.symantec.com/docs/TECH132161

Workarounds include:

• Add the IP addresses of DNS servers to the Intrusion Prevention policy Excluded Hosts list. This will explicitly allow any/all traffic to and from the IP address and will effectively bypass Intrusion Prevention and Firewall from interacting with the traffic. Implications include: Hard to manage DNS server list if clients roam, list is unavailable on Unmanaged clients.
• Downgrade the product to Release Update 5 (RU5) on affected client computers. RU5 did not contain the detection that is involved in this issue. Implications include: difficulty in downgrading (requires uninstall of RU6 and reinstall of RU5), as well as potential issues in dealing with issues fixed between RU5 and RU6.

Check this Thread related to this Issue:

https://www-secure.symantec.com/connect/forums/endpoint-1106-false-denial-service-attacks-dns-servers

Hope that helps!!

try this,

http://www.symantec.com/business/support/index?page=content&id=TECH104287