DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Fraggle attacks - any pointers gratefully accepted
- lodgie
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
30 Aug 2018 09:56 #92722
by lodgie
Fraggle attacks - any pointers gratefully accepted was created by lodgie
Hi,
We have two routers, a 2850 on a copper cct and a 2930 on a fo cct (there's a good reason for this, BT are saying the 2850 has a fault when it's the fibre cct so the 2930 is running fibre only - still getting the fault). These are on the same site and both are logging Fraggle attacks every 10 seconds, this has been happening for the last 24 hours.
Both routers are on static IP's, the 2850 is running 10 VPN's
The 2850 was disconnected from the WAN last night (schedule) but on reconnection started logging an attack straight away.
All the PC's on site have been virus scanned and are clean, although this is not a guarantee.
Wireshark is running on a Win 2008 R2 server and is not showing any odd internal traffic so the firewall is working perfectly.
One attack is showing a source of 0.0.0.0:nnnn with the port address incrementing randomly the target address is 255.255.255.255:4944 UDP hlen=20 tlen=144
The other is the same except the source address is 255.255.255.255
This is not causing problems at the moment but I have a few concerns
1. It's odd getting an attack on 2 separate circuits at the same time when the only common denominator is the LAN and the kit on it - any advice on further checks I could make locally?
2. If this is targetted, what are the chances that it will just go away or they may try another method?
3. Any ideas on the usual delivery method that woud trigger attacks?
Any clues on what to do next would be much appreciated.
TIA
John
We have two routers, a 2850 on a copper cct and a 2930 on a fo cct (there's a good reason for this, BT are saying the 2850 has a fault when it's the fibre cct so the 2930 is running fibre only - still getting the fault). These are on the same site and both are logging Fraggle attacks every 10 seconds, this has been happening for the last 24 hours.
Both routers are on static IP's, the 2850 is running 10 VPN's
The 2850 was disconnected from the WAN last night (schedule) but on reconnection started logging an attack straight away.
All the PC's on site have been virus scanned and are clean, although this is not a guarantee.
Wireshark is running on a Win 2008 R2 server and is not showing any odd internal traffic so the firewall is working perfectly.
One attack is showing a source of 0.0.0.0:nnnn with the port address incrementing randomly the target address is 255.255.255.255:4944 UDP hlen=20 tlen=144
The other is the same except the source address is 255.255.255.255
This is not causing problems at the moment but I have a few concerns
1. It's odd getting an attack on 2 separate circuits at the same time when the only common denominator is the LAN and the kit on it - any advice on further checks I could make locally?
2. If this is targetted, what are the chances that it will just go away or they may try another method?
3. Any ideas on the usual delivery method that woud trigger attacks?
Any clues on what to do next would be much appreciated.
TIA
John
Please Log in or Create an account to join the conversation.
- admin3
- Offline
- Site Admin
Less
More
- Posts: 604
- Thank you received: 0
10 Sep 2018 09:52 #92864
by admin3
Forum Administrator
Replied by admin3 on topic Re: Fraggle attacks - any pointers gratefully accepted
A broadcast packet (255.255.255.255) via UDP on port 4944 is a DrayTek specific packet.
Do the Vigor 2850 and Vigor 2930 have a Vigor 120 / 130 connected to them?
If you do and their firmware was recently updated, access the modem's web UI and disable [System Maintenance] > [Management] > DSL Status - Broadcast to LAN, which is some DSL data that is only understood by some of the newer router models.
More information here:https://www.draytek.co.uk/support/guides/kb-vigor-130-dsl-status
Do the Vigor 2850 and Vigor 2930 have a Vigor 120 / 130 connected to them?
If you do and their firmware was recently updated, access the modem's web UI and disable [System Maintenance] > [Management] > DSL Status - Broadcast to LAN, which is some DSL data that is only understood by some of the newer router models.
More information here:
Forum Administrator
Please Log in or Create an account to join the conversation.
- lodgie
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
15 Sep 2018 11:10 #92903
by lodgie
Replied by lodgie on topic Re: Fraggle attacks - any pointers gratefully accepted
That's a solution! Thanks for the help.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek