Hi,
We have two routers, a 2850 on a copper cct and a 2930 on a fo cct (there's a good reason for this, BT are saying the 2850 has a fault when it's the fibre cct so the 2930 is running fibre only - still getting the fault). These are on the same site and both are logging Fraggle attacks every 10 seconds, this has been happening for the last 24 hours.
Both routers are on static IP's, the 2850 is running 10 VPN's
The 2850 was disconnected from the WAN last night (schedule) but on reconnection started logging an attack straight away.
All the PC's on site have been virus scanned and are clean, although this is not a guarantee.
Wireshark is running on a Win 2008 R2 server and is not showing any odd internal traffic so the firewall is working perfectly.
One attack is showing a source of 0.0.0.0:nnnn with the port address incrementing randomly the target address is 255.255.255.255:4944 UDP hlen=20 tlen=144
The other is the same except the source address is 255.255.255.255
This is not causing problems at the moment but I have a few concerns
1. It's odd getting an attack on 2 separate circuits at the same time when the only common denominator is the LAN and the kit on it - any advice on further checks I could make locally?
2. If this is targetted, what are the chances that it will just go away or they may try another method?
3. Any ideas on the usual delivery method that woud trigger attacks?
Any clues on what to do next would be much appreciated.
TIA
John
