Endpoint Protection

 View Only

  • 1.  Denial of Service is logged.

    Posted Jul 03, 2011 09:57 AM

    I am getting messages like:

    Symantec Endpoint Protection

    Traffic for IP address 192.168.1.13 is blobked from 7/2/2011 (:19:43 PM to 7/2/2011 9:24:48PM

    Denial of Service is logged.

    The message shows briefly

    The computer showing the message has IP address 192.168.1.25

    1. Where are these types of messages stored?
    2. What is the meaning of the message?
    3. How is the problem solved?


  • 2.  RE: Denial of Service is logged.

    Posted Jul 03, 2011 10:16 AM

    what is the verseion of SEP you are using

     

    Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.

     
    Follow this discussion


  • 3.  RE: Denial of Service is logged.

    Posted Jul 03, 2011 12:25 PM

    Hi,

    open the SEP UI, logs, security logs, search for "Denial of Service" entries, post here the details of the event.



  • 4.  RE: Denial of Service is logged.

    Trusted Advisor
    Posted Jul 04, 2011 12:51 PM

    Hello,

    What version of SEP, have you installed?

     

    Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through.

    In the DoS detector of the firewall, when it detects an attack, it will block all the traffic with the same packet type for a while. The duration is about 1 minute. For example, if an ICMP packet is used to attack the SEP-installed host (as in our example of a "ping of death"), when SEP detect this attack, all the ICMP traffics to/from this host will be blocked for one minute.


    Solution


    This is working by design as part of Denial of Service protection.

     

    It's possible that someone was doing a scaning the Network, looking for vulnerable hosts.

    Thanks to NTP, it has blocked that attack.

    Local MAC may be FF-FF-FF-FF-FF-FF[ layer2 broadcast id] and the protocol is none. 

    You may also see the protocol is ICMP and the local MAC is FF-FF-FF-FF-FF-FF. Local Host in both the cases is 192.168.1.25 [Layer3 broadcast id]. So, it looks like someone is doing a PingSweep in the network.

    or, the router/switch in the network is doing a client search every 10 minutes.

    Hope this helps.

     



  • 5.  RE: Denial of Service is logged.

    Posted Jul 07, 2011 03:40 PM

     

    11.0.6000.550

    The first link you list only seem to go to general page.

    The second link does not appear to be the same problem.



  • 6.  RE: Denial of Service is logged.

    Posted Jul 07, 2011 03:58 PM

    I could not following what you wrote.

    Not sure what you mean by UI.

    If I open Endpoint protection, I only see View Logs, then I have to make a choice of Antivirus and Antispyware Protection, Proactive Threat Protection, Netwrok Threat Protection, Client Management. then I had to view logs and take one log at a time. . It took me to Client Management Security log to find something that you may be talking about. I do not see a place to search for "Denial of Service".

    7/7/2011 12:18:04 PM Active response disengaged Information None None 192.168.1.30 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/7/2011 12:17:03 PM 7/7/2011 12:17:03 PM 
    7/7/2011 12:08:04 PM Active Response Major Incoming None 192.168.1.30 00-90-A9-6E-1E-9F 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 12:07:02 PM 7/7/2011 12:07:02 PM 
    7/7/2011 12:08:04 PM Denial of Service Major Incoming UDP 192.168.1.30 00-90-A9-6E-1E-9F 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 12:07:02 PM 7/7/2011 12:07:02 PM 
    7/7/2011 10:17:00 AM Active response disengaged Information None None 192.168.1.28 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/7/2011 10:15:55 AM 7/7/2011 10:15:55 AM 
    7/7/2011 10:06:59 AM Active Response Major Incoming None 192.168.1.28 80-C6-AB-14-82-3B 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 10:05:55 AM 7/7/2011 10:05:55 AM 
    7/7/2011 10:06:59 AM Denial of Service Major Incoming UDP 192.168.1.28 80-C6-AB-14-82-3B 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 10:05:54 AM 7/7/2011 10:05:54 AM 
    7/7/2011 8:15:53 AM Active response disengaged Information None None 192.168.1.29 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/7/2011 8:14:48 AM 7/7/2011 8:14:48 AM 
    7/7/2011 8:05:52 AM Active Response Major Incoming None 192.168.1.29 80-C6-AB-14-81-00 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 8:04:47 AM 7/7/2011 8:04:47 AM 
    7/7/2011 8:05:52 AM Denial of Service Major Incoming UDP 192.168.1.29 80-C6-AB-14-81-00 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 8:04:46 AM 7/7/2011 8:04:46 AM 
    7/7/2011 6:14:40 AM Active response disengaged Information None None 192.168.1.28 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/7/2011 6:13:39 AM 7/7/2011 6:13:39 AM 
    7/7/2011 6:11:25 AM Active response disengaged Information None None 192.168.1.13 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/7/2011 6:10:24 AM 7/7/2011 6:10:24 AM 
    7/7/2011 6:04:44 AM Active Response Major Incoming None 192.168.1.28 80-C6-AB-14-82-3B 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 6:03:39 AM 7/7/2011 6:03:39 AM 
    7/7/2011 6:04:39 AM Denial of Service Major Incoming UDP 192.168.1.28 80-C6-AB-14-82-3B 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 6:03:38 AM 7/7/2011 6:03:38 AM 
    7/7/2011 6:01:24 AM Active Response Major Incoming None 192.168.1.13 00-1C-C3-13-24-D5 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 6:00:23 AM 7/7/2011 6:00:23 AM 
    7/7/2011 6:01:24 AM Denial of Service Major Incoming UDP 192.168.1.13 00-1C-C3-13-24-D5 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 6:00:23 AM 7/7/2011 6:00:23 AM 
    7/7/2011 4:10:18 AM Active response disengaged Information None None 192.168.1.29 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/7/2011 4:09:13 AM 7/7/2011 4:09:13 AM 
    7/7/2011 4:00:16 AM Active Response Major Incoming None 192.168.1.29 80-C6-AB-14-81-00 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 3:59:12 AM 7/7/2011 3:59:12 AM 
    7/7/2011 4:00:16 AM Denial of Service Major Incoming UDP 192.168.1.29 80-C6-AB-14-81-00 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 3:59:12 AM 7/7/2011 3:59:12 AM 
    7/7/2011 2:09:10 AM Active response disengaged Information None None 192.168.1.13 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/7/2011 2:08:06 AM 7/7/2011 2:08:06 AM 
    7/7/2011 1:59:09 AM Active Response Major Incoming None 192.168.1.13 00-1C-C3-13-24-D5 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 1:58:05 AM 7/7/2011 1:58:05 AM 
    7/7/2011 1:59:09 AM Denial of Service Major Incoming UDP 192.168.1.13 00-1C-C3-13-24-D5 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/7/2011 1:58:05 AM 7/7/2011 1:58:05 AM 
    7/7/2011 12:07:57 AM Active response disengaged Information None None 192.168.1.10 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/7/2011 12:06:56 AM 7/7/2011 12:06:56 AM 
    7/6/2011 11:58:01 PM Active Response Major Incoming None 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 11:56:56 PM 7/6/2011 11:56:56 PM 
    7/6/2011 11:58:01 PM Denial of Service Major Incoming UDP 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 11:56:55 PM 7/6/2011 11:56:55 PM 
    7/6/2011 10:06:55 PM Active response disengaged Information None None 192.168.1.10 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/6/2011 10:05:50 PM 7/6/2011 10:05:50 PM 
    7/6/2011 9:56:53 PM Active Response Major Incoming None 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 9:55:50 PM 7/6/2011 9:55:50 PM 
    7/6/2011 9:56:53 PM Denial of Service Major Incoming UDP 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 9:55:49 PM 7/6/2011 9:55:49 PM 
    7/6/2011 8:05:49 PM Active response disengaged Information None None 192.168.1.10 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/6/2011 8:04:44 PM 7/6/2011 8:04:44 PM 
    7/6/2011 7:55:48 PM Active Response Major Incoming None 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 7:54:42 PM 7/6/2011 7:54:42 PM 
    7/6/2011 7:55:48 PM Denial of Service Major Incoming UDP 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 7:54:42 PM 7/6/2011 7:54:42 PM 
    7/6/2011 6:04:41 PM Active response disengaged Information None None 192.168.1.10 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/6/2011 6:03:36 PM 7/6/2011 6:03:36 PM 
    7/6/2011 5:54:37 PM Active Response Major Incoming None 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 5:53:36 PM 7/6/2011 5:53:36 PM 
    7/6/2011 5:54:37 PM Denial of Service Major Incoming UDP 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 5:53:35 PM 7/6/2011 5:53:35 PM 
    7/6/2011 4:03:32 PM Active response disengaged Information None None 192.168.1.28 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/6/2011 4:02:31 PM 7/6/2011 4:02:31 PM 
    7/6/2011 3:53:31 PM Active Response Major Incoming None 192.168.1.28 80-C6-AB-14-82-3B 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 3:52:30 PM 7/6/2011 3:52:30 PM 
    7/6/2011 3:53:31 PM Denial of Service Major Incoming UDP 192.168.1.28 80-C6-AB-14-82-3B 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 3:52:29 PM 7/6/2011 3:52:29 PM 
    7/6/2011 2:02:27 PM Active response disengaged Information None None 192.168.1.29 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Joe HOM200OF006 Default 1 7/6/2011 2:01:24 PM 7/6/2011 2:01:24 PM 
    7/6/2011 1:52:24 PM Active Response Major Incoming None 192.168.1.29 80-C6-AB-14-81-00 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 1:51:23 PM 7/6/2011 1:51:23 PM 
    7/6/2011 1:52:24 PM Denial of Service Major Incoming UDP 192.168.1.29 80-C6-AB-14-81-00 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 1:51:22 PM 7/6/2011 1:51:22 PM 

    192.168.1.30 is a Western Digital NAS

    192.168.1.28, 10 are listed as unknown but as I remember these are part of Directv. As I remember the receivers log in as unknown

    192.168.1.29 is Directv adapter

    192.168.1.13 is again Directv

    Maybe SEP is just thinking there is a denial of service attack.

    On another subject is there a way to receive an email when someone responds on the Symantec web site?

     


     



  • 7.  RE: Denial of Service is logged.

    Posted Jul 07, 2011 04:03 PM

    This is beginning to look like SEP is blocking when it should not. Note my previous reply. The IP addresses involved are non-computers. Never has any computer IP address been involved. This computer is 192.168.1.25. Note address 192.168.1.25 does not show in the log.

     



  • 8.  RE: Denial of Service is logged.

    Posted Jul 13, 2011 11:23 PM

    My fix was to go into Network Threat Prevention, Intrusion Prevention and uncheck Enable denial of service detection.



  • 9.  RE: Denial of Service is logged.

    Posted Jul 14, 2011 01:06 AM

    NTP has detected a attack on your network and the service request from that ip address is denied and blocked by NTP.

    Hence this incident is logged.

    There is no need to look for solution for this as the Endpoint is working efficinetly.

    If you wish to turn off the pop-up, follow below thread.

    https://www-secure.symantec.com/connect/forums/front-end-pop-users-how-turn-it 

    Good Luck!



  • 10.  RE: Denial of Service is logged.

    Posted Jul 17, 2011 10:47 AM

    Hi,

    well done, UI means User Interface, I did not have time to post click by click procedure but it seems you were able to click around to find what I meant.

     In the list of events posted by you, you can read entries like:

    7/6/2011 5:54:37 PM Denial of Service Major Incoming UDP 192.168.1.10 80-C6-AB-14-82-C1 192.168.1.25 84-2B-2B-A3-30-18  Joe HOM200OF006 Default 1 7/6/2011 5:53:35 PM 7/6/2011 5:53:35 PM 
     

    Once you select one of these row, you can see more details in the bottom, I was interested on them.

    By the way, it seem a known issue, please, upgrade to latest SEP version and let me know.