Author Topic: DHCP Flood triggered after Avast update  (Read 2025 times)

0 Members and 1 Guest are viewing this topic.

Offline Darren S

  • Newbie
  • *
  • Posts: 5
DHCP Flood triggered after Avast update
« on: June 06, 2019, 12:03:47 PM »
I work at a University and have noticed an issue with Avast triggering a DHCP Request flood on the network.

Some of the students have Avast Free on their own personal devices whilst they are living in halls of residence. This issue does not happen if the user does not have Avast installed.

We noticed this issue begin around mid-late April. We received a few calls from students who had been disconnected from the network due to DHCP rate limiting that we have enabled. After investigating we found that all of those students were running Windows 10 with Avast as their antivirus software and we could see large DHCP traffic spikes generated by their computers.

Shortly after communicating with Avast servers (ncc.avast.com or *.ff.avast.com) the laptop or PC sends a flood of DHCP Request packets - typically >500 in one second. The frequency of these events can be anything from every few hours to every few days.

I have been able to replicate this issue on a virtual machine by installing a fresh copy of Windows 10 64-bit, followed by a standard installation of Avast with no other software. Typically Windows 10 comes as version 1703 (Creators Update) but I have seen the issue occur after I have installed Windows Updates beyond version 1803.

I will update this post with further information if I get it.

Has anybody else seen this and is anyone from Avast able to comment on the cause?
« Last Edit: June 06, 2019, 12:05:59 PM by Darren S »

Offline HK

  • Avast team
  • Full Member
  • *
  • Posts: 106
Re: DHCP Flood triggered after Avast update
« Reply #1 on: June 06, 2019, 12:55:04 PM »
Hello Darren,

Thank you for reporting the issue.
Could you please help us with investigation by providing some data?

Please enable debug logging (Menu > Settings > General > Troubleshooting > Enable debug logging)
Reproduce the issue (DHCP flood).

Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.

Thank you very much,
HK

Offline HK

  • Avast team
  • Full Member
  • *
  • Posts: 106
Re: DHCP Flood triggered after Avast update
« Reply #2 on: June 06, 2019, 03:34:45 PM »
One more wish. Could you please sniff network traffic using Wireshark tool and send us generated pcap file?
You can upload it to our FTP sever: https://support.avast.com/en-ww/article/FTP-file-upload

Thanks in advance,
HK

Offline Darren S

  • Newbie
  • *
  • Posts: 5
Re: DHCP Flood triggered after Avast update
« Reply #3 on: June 06, 2019, 03:37:15 PM »
Yes - I can do both of the things you requested. I will post the information soon.

Offline Darren S

  • Newbie
  • *
  • Posts: 5
Re: DHCP Flood triggered after Avast update
« Reply #4 on: June 08, 2019, 11:07:22 PM »
I have created the support packages and the PCAP file, however I was unable to upload the support package using the support tool. It displayed error 12002.

I have obtained the support package files and the PCAP and zipped both of these and uploaded to your FTP site.

The filename used is avast_dhcpflood.zip and was copied to the /incoming folder.

Please could you confirm if you have received it.


Offline Darren S

  • Newbie
  • *
  • Posts: 5
Re: DHCP Flood triggered after Avast update
« Reply #5 on: June 10, 2019, 11:41:02 AM »
Hi,


I just noticed that AvastSvc.exe is using UDP port 68 (bootpc). I can see this using Process Explorer and TCP View, but I do not know if the DHCP flood is originating from this process or the standard operating system svchost.exe

Did you receive the support files and PCAP and do you want me to send them again?


Offline HK

  • Avast team
  • Full Member
  • *
  • Posts: 106
Re: DHCP Flood triggered after Avast update
« Reply #6 on: June 11, 2019, 11:27:01 AM »
Hi Darren, thank you for your help. We will have a look and post back our findings.

Best regards,
HK

Offline HK

  • Avast team
  • Full Member
  • *
  • Posts: 106
Re: DHCP Flood triggered after Avast update
« Reply #7 on: June 21, 2019, 11:35:59 AM »
Hi Darren,

sorry for late reply. We were able to identify and fix the issue via regular definition updates. To apply the fix it is necessary to reboot computer. Hope it will help.

Best regards,
HK

Offline Darren S

  • Newbie
  • *
  • Posts: 5
Re: DHCP Flood triggered after Avast update
« Reply #8 on: June 21, 2019, 12:23:05 PM »
Thanks for your assistance with this. We have noticed a reduction in occurrences and it is no longer happening on my test VM.