I work at a University and have noticed an issue with Avast triggering a DHCP Request flood on the network.
Some of the students have Avast Free on their own personal devices whilst they are living in halls of residence. This issue does not happen if the user does not have Avast installed.
We noticed this issue begin around mid-late April. We received a few calls from students who had been disconnected from the network due to DHCP rate limiting that we have enabled. After investigating we found that all of those students were running Windows 10 with Avast as their antivirus software and we could see large DHCP traffic spikes generated by their computers.
Shortly after communicating with Avast servers (ncc.avast.com or *.ff.avast.com) the laptop or PC sends a flood of DHCP Request packets - typically >500 in one second. The frequency of these events can be anything from every few hours to every few days.
I have been able to replicate this issue on a virtual machine by installing a fresh copy of Windows 10 64-bit, followed by a standard installation of Avast with no other software. Typically Windows 10 comes as version 1703 (Creators Update) but I have seen the issue occur after I have installed Windows Updates beyond version 1803.
I will update this post with further information if I get it.
Has anybody else seen this and is anyone from Avast able to comment on the cause?
I have created the support packages and the PCAP file, however I was unable to upload the support package using the support tool. It displayed error 12002.
I have obtained the support package files and the PCAP and zipped both of these and uploaded to your FTP site.
The filename used is avast_dhcpflood.zip and was copied to the /incoming folder.
I just noticed that AvastSvc.exe is using UDP port 68 (bootpc). I can see this using Process Explorer and TCP View, but I do not know if the DHCP flood is originating from this process or the standard operating system svchost.exe
Did you receive the support files and PCAP and do you want me to send them again?
sorry for late reply. We were able to identify and fix the issue via regular definition updates. To apply the fix it is necessary to reboot computer. Hope it will help.