topic Re: Problem with Fraggle DDOS attack in Tech Help - Software/Hardware etc

Problem with Fraggle DDOS attack

LODGIE_ — Thu, 30 Aug 2018 13:09:15 GMT

Hi,
We have two routers, a Vigor 2850 on a copper cct and a Vigor 2930 on a fibre cct (there's a good reason for this, BT are saying the 2850 has a fault when it's the fibre cct so the 2930 is running fibre only - still getting the fault). These are on the same site and both are logging Fraggle attacks every 10 seconds, this has been happening for the last 36 hours.

Both routers are on static IP's, the 2850 is running 10 VPN's

The 2850 was disconnected from the WAN last night (schedule) but on reconnection started logging an attack straight away.

All the PC's on site have been virus scanned and are clean, although this is not a 100% guarantee

Wireshark is running on a Win 2008 R2 server and is not showing any odd internal traffic so the firewall is working perfectly.

One attack is showing a source of 0.0.0.0:nnnn with the port address incrementing randomly the target address is 255.255.255.255:4944 UDP hlen=20 tlen=144
The other is the same except the source address is 255.255.255.255

This is not causing problems at the moment but I have a few concerns
1. It's odd getting an attack on 2 separate circuits at the same time when the only common denominator is the LAN and the kit on it - any advice on further checks I could make locally?
2. If this is targetted, what are the chances that it will just go away or they may try another method?
3. Any ideas on the usual delivery method that woud trigger attacks?

Re: Problem with Fraggle DDOS attack

Anonymous — Thu, 30 Aug 2018 13:32:56 GMT

@LODGIE_ - Assuming you’ve not done it already go to Firewall > DoS Defense enable it and the SYN, UDP and ICMP flood options.

Hope this helps.

Most routers are immune to this but no harm in some belt and braces.

Re: Problem with Fraggle DDOS attack

LODGIE_ — Fri, 31 Aug 2018 07:17:44 GMT

Thanks for the response. All firewalls cranked to max, it's not getting through... Still getting the broadcast packets every 10 sec though. Waiting for a change of attack type now.

Re: Problem with Fraggle DDOS attack

ejs — Fri, 31 Aug 2018 14:56:10 GMT

Is there a Draytek VDSL2 modem involved somewhere? Apparently UDP port 4944 is where Draytek modems broadcast their DSL stats to (this can be used by some Draytek routers to display the DSL stats of the separate modem).

Re: Problem with Fraggle DDOS attack

LODGIE_ — Fri, 31 Aug 2018 17:09:25 GMT

Handn't considered that yes there are two Draytek VDSL modems - what a plum I am, should have realised. Good of Draytek to record this as an DDOS.

Cheers!!!