After migrating to (or installing) Symantec Endpoint Protection client Release Update 6 or 6a (SEP 11 RU6/RU6a) with Intrusion Prevention components, your DNS server is being blocked because the SEP client believes it is the source of a Denial of Service attack (UDP Flood Attack).
Symptoms SEP client will initiate an Active Response when a Denial of Service attack is detected, which will block traffic to/from the source IP for a configurable amount of time (10 minutes by default). In this situation, the Active Response will block access to the DNS server, preventing legitimate name lookups.
The Denial of Service detection type "UDP Flood Attack" was added in SEP 11 RU6. We are currently investigating a condition that will cause this signature to trigger on legitimate DNS traffic.
This issue has been fixed in Symantec Endpoint Protection 11 Release Update 6 Maintenance Patch 1 (RU6 MP1). For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH103088: Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x
Be aware that not all cases of a UDP Flood Attack detection are a False Positive. Please confirm that the detection is a false positive before implementing any of the following workarounds. The Technical Information section of this document includes details on how to confirm a false positive on this detection.
The most viable workaround for this issue if you are not able to upgrade is to disable the Denial of Service Protection functionality either via Symantec Endpoint Protection Manager Intrusion Prevention policy, or by disabling Denial of Service Protection via the Symantec Endpoint Protection client User Interface (available on Client Control managed clients or on unmanaged clients).
Other workarounds include:
Add the IP addresses of DNS servers to the Intrusion Prevention policy Excluded Hosts list. This will explicitly allow any/all traffic to and from the IP address and will effectively bypass Intrusion Prevention and Firewall from interacting with the traffic. Implications include: Hard to manage DNS server list if clients roam, list is unavailable on Unmanaged clients.
Downgrade the product to Release Update 5 (RU5) on affected client computers. RU5 did not contain the detection that is involved in this issue. Implications include: difficulty in downgrading (requires uninstall of RU6 and reinstall of RU5), as well as potential issues in dealing with issues fixed between RU5 and RU6.
Technical Information To confirm if the detection is a false positive, a packet capture will need to be run during a trigger of this detection. The easiest to use packet capture software is Wireshark, but any packet capture utility (such as TCPDump) can be used. Once the detection has occurred, the packet capture can be stopped. Symantec Technical Support can examine the traffic to see if its meets the DoS conditions. If the traffic that meets the triggering conditions is known legitimate DNS traffic, you have confirmed that the issue is a false positive.
If you need assistance with either generating and reviewing a packet capture to confirm a false positive on this detection, please contact Symantec Support.
Imported Document ID: TECH132161
Subscribing will provide email updates when this Article is updated. Login is required.