Endpoint Protection

Hey guys.  I searched the forums but I'm not certain that any of the similar threads apply in my case. Running SEP 11.0.

Seems like clockwork; every 10 minutes I'm getting this pop-up baloon that says "Traffic from 192.168.1.245 is blocked from ___ to ___.  Denial of service is logged."  Except occasionally when it's 192.168.10.11.

I can't remember offhand what my router IP is when I'm at home because I'm on a business trip right now and I have no way of knowing the MAC address of the system here in the hotel, but I don't recall it doing this at home. OTOH I don't use the laptop much at home, either.




























As you can see, something is busy.

Here in the hotel my IP is 10.71.5.107 and my Gateway is 10.71.0.1.

Thoughts? What gives?  Also, this computer seems incredibly slow these days. As in, open IE, then go make a sandwich and come back slow.

Thanks in advance!

Jim

Bother. Maybe I should've put the log screenshot at the bottom. Sorry about that!

This could be a router issue as discussed in previous threads, best thing to do is to update the firmware of the router/gateway.

I see. You think this is the case even though the DoS IP addresses are nothing like what my current IP is? 

Anyway, I'll defer to you guys since I'm certain you know more than I on the subject. I'll call the hotel's ISP and make that recommendation.

Thanks!

Hi,

Its possible that someone was doing a scanin the Hotel Network, looking for vulnerable hosts.

Thanks to NTP, it has blocked that attack.

As we see in the screenshot, local MAC is FF-FF-FF-FF-FF-FF[ layer2 broadcast id] and the protocol is none.
We also see the protocol is ICMP and the local MAC is FF-FF-FF-FF-FF-FF. Local Host in both the cases is 192.168.1.255 [Layer3 broadcast id]. So, it looks like someone is doing a PingSweetp in the network.

or, the router/switch in the network is doing a client search every 10 minutes.

Hope this helps.

Cheers,
Aniket