Auto DoS feature on HP V1810 switches blocks legitimate network traffic

Luckily the default state of the Auto DoS feature on the HP V1810 switches is disabled. And you should always leave it like this.

It’s one of the worse implemented features ever seen on a managed switch. The idea for additional L2 security layer is good, however the realization is definitely poor. With the basic enabled/disabled states and zero customization available, the features set goes into the recycle bin. In particular it blocks all NetBIOS traffic over the LAN due to the “nice” feature called “Prevent UDP Blat Attack”.
It seems HP engineers are not aware NetBIOS use the same UDP Port 138 or maybe they believe it’s rarely used protocol nowadays.
However what happens when you replace some legacy switches on your network with a new HP V1810 series 48 port 1Gbps switches? What I’ve seen in particular is inability to join PCs in an Active Directory domain using the domain NetBIOS names with the following symptoms:
– Error 0x54b(1355 in decimal) present in %windir%\debug\NetSetup.log during PC join attempts.
– nltest /dsgetdc returns ERROR_NO_SUCH_DOMAIN (the same 1355/0x54b)
– no NetBIOS broadcast resolution
– no NetBIOS traffic reaching destination server with local LMHosts file entries enabled
– and much more.

Clearly reading the full vendor documentation before deploying any new equipment is a must. Otherwise you can spend hours in troubleshooting to understand how a single check box affects your Active Directory environment.

Reference: Auto Dos features description.
Auto DoS

Enable – Select to prevent receiving packets from the all attacks mentioned below (Default: Disabled).

Prevent Land Attack – Prevents receiving packets with matching Source and Destination IP addresses.
Prevent TCP Blat Attack – TCP Source and Destination Port match
Prevent UDP Blat Attack – UDP Source and Destination Port match
Prevent Ping Of Death Attack – Prevents receiving ping packets with a size larger than 512 bytes through the use of fragments, which can target vulnerable systems.
Prevent Invalid TCP Flags Attack – Prevents receiving packets with invalid TCP flags. TCP Flag SYN set and Source Port less than 1024 or TCP Control Flags = 0 and TCP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
Prevent TCP Fragment Attack – Drop IP Packets that have a TCP header less than 20 bytes.
Check First Fragment Only – Enable checking DOS attacks on IP first fragments
Prevent Smurf Attack – ICMP Echo packets (ping) to a broadcast IP address are dropped.
Prevent Ping Flood Attack – Prevents Ping Flood by limiting the number of ICMP Ping packets. The rate is 1000 ICMP packets per second.
Prevent Syn Flood Attack – A SYN flood attack sends TCP connections requests faster than a machine can process them. Setting this filter limits the rate of TCP connection requests.