Topic Options
#3436 - 08/06/19 11:53 AM PingPlotter 5 Service causing Symantec Smurf DDoS detection
rzk295 Offline


Registered: 08/06/19
Posts: 1
I have multiple work laptops connected to my home network. Beginning yesterday, one of my laptops (call it Laptop A) which runs Symantec Endpoint Protection began reporting a detected Smurf Denial of Service from a laptop which I have PingPlotter 5 installed (Laptop B). I can also see a great deal of chatter coming from Laptop B. After a great deal of investigation, I found that if I stop the PingPlotter 5 Service on Laptop B, the chatter disappears and Laptop A no longer sees a DDoS attack. If I restart the service, the DDoS is immediately detected and I begin seeing network activity starting to climb again.

I am running version 5.5.8.4168 (Modification date 03-Feb-2018 16:58). This software has been installed for more than a year and this behavior has not been observed before. There has been no other software installed on Laptop B recently (within the last couple days) which I am aware of. Any idea what could be causing this type of behavior? For the time being, I have set the service to manual and am leaving it in a stopped state.

Top
#3437 - 08/06/19 03:16 PM Re: PingPlotter 5 Service causing Symantec Smurf DDoS detection [Re: rzk295]
Hayla Offline
Pingman Staff


Registered: 10/16/17
Posts: 90
Hey rzk295,

Thanks for getting in touch!

I had to do a bit of research on this one - mainly because I'm not familiar with a lot of Symantec's stuff. However, I did find an article that's pretty interesting:

https://www.symantec.com/connect/forums/denial-service-smurf-attack-detected

Basically, this article is saying that false positives can be triggered - and I'm not surprised PingPlotter's traffic triggered a false positive. I'm unsure of what you can do from Symantec's side - but from a PingPlotter side you could try to double your interval (so trace every 5 seconds instead of 2.5 seconds).

The traffic that PingPlotter's sending is ICMP, and it's sending a lot of ICMP packets. If you use Wireshark to capture the stream, you can definitelly see how many packets are going out. However - don't worry! We actually did an experiment like this to give people like you peace of mind - it's really, really hard to ACTUALLY DDoS something with PingPlotter. Check it out here:

https://www.pingplotter.com/wisdom/article/is-ping-dangerous

The main idea here is that it's a false positive and that you don't need to worry about PingPlotter DDoS'ing one of your nodes. However, you may want to take a look at Symantec's information to see how you can potentially add an exception - but it'd have to be for all ICMP as the traffic we send is from the ICMP.dll, not from the application itself.

I hope that helped!
_________________________
Regards,
Hayla

Top

Search

Who's Online
0 registered (), 8 Guests and 2 Spiders online.
Key: Admin, Global Mod, Mod