DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Fraggle attacks - any pointers gratefully accepted

  • lodgie
  • Topic Author
  • Offline
  • New Member
  • New Member
More
30 Aug 2018 09:56 #92722 by lodgie
Hi,
We have two routers, a 2850 on a copper cct and a 2930 on a fo cct (there's a good reason for this, BT are saying the 2850 has a fault when it's the fibre cct so the 2930 is running fibre only - still getting the fault). These are on the same site and both are logging Fraggle attacks every 10 seconds, this has been happening for the last 24 hours.

Both routers are on static IP's, the 2850 is running 10 VPN's

The 2850 was disconnected from the WAN last night (schedule) but on reconnection started logging an attack straight away.

All the PC's on site have been virus scanned and are clean, although this is not a guarantee.

Wireshark is running on a Win 2008 R2 server and is not showing any odd internal traffic so the firewall is working perfectly.

One attack is showing a source of 0.0.0.0:nnnn with the port address incrementing randomly the target address is 255.255.255.255:4944 UDP hlen=20 tlen=144
The other is the same except the source address is 255.255.255.255

This is not causing problems at the moment but I have a few concerns
1. It's odd getting an attack on 2 separate circuits at the same time when the only common denominator is the LAN and the kit on it - any advice on further checks I could make locally?
2. If this is targetted, what are the chances that it will just go away or they may try another method?
3. Any ideas on the usual delivery method that woud trigger attacks?

Any clues on what to do next would be much appreciated.

TIA

John

Please Log in or Create an account to join the conversation.

More
10 Sep 2018 09:52 #92864 by admin3
A broadcast packet (255.255.255.255) via UDP on port 4944 is a DrayTek specific packet.

Do the Vigor 2850 and Vigor 2930 have a Vigor 120 / 130 connected to them?
If you do and their firmware was recently updated, access the modem's web UI and disable [System Maintenance] > [Management] > DSL Status - Broadcast to LAN, which is some DSL data that is only understood by some of the newer router models.
More information here: https://www.draytek.co.uk/support/guides/kb-vigor-130-dsl-status



Forum Administrator

Please Log in or Create an account to join the conversation.

  • lodgie
  • Topic Author
  • Offline
  • New Member
  • New Member
More
15 Sep 2018 11:10 #92903 by lodgie
That's a solution! Thanks for the help.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami