cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem with Fraggle DDOS attack

FIXED
LODGIE_
Newbie
Posts: 3
Registered: ‎30-08-2018

Problem with Fraggle DDOS attack

‎30-08-2018 2:09 PM

Hi,
We have two routers, a Vigor 2850 on a copper cct and a Vigor 2930 on a fibre cct (there's a good reason for this, BT are saying the 2850 has a fault when it's the fibre cct so the 2930 is running fibre only - still getting the fault). These are on the same site and both are logging Fraggle attacks every 10 seconds, this has been happening for the last 36 hours.

Both routers are on static IP's, the 2850 is running 10 VPN's

The 2850 was disconnected from the WAN last night (schedule) but on reconnection started logging an attack straight away.

All the PC's on site have been virus scanned and are clean, although this is not a 100% guarantee

Wireshark is running on a Win 2008 R2 server and is not showing any odd internal traffic so the firewall is working perfectly.

One attack is showing a source of 0.0.0.0:nnnn with the port address incrementing randomly the target address is 255.255.255.255:4944 UDP hlen=20 tlen=144
The other is the same except the source address is 255.255.255.255

This is not causing problems at the moment but I have a few concerns
1. It's odd getting an attack on 2 separate circuits at the same time when the only common denominator is the LAN and the kit on it - any advice on further checks I could make locally?
2. If this is targetted, what are the chances that it will just go away or they may try another method?
3. Any ideas on the usual delivery method that woud trigger attacks?

Message 1 of 5
(3,065 Views)
Reply
0 Thanks
4 REPLIES 4
Anonymous
Not applicable

Re: Problem with Fraggle DDOS attack

‎30-08-2018 2:32 PM

@LODGIE_ -  Assuming you’ve not done it already go to Firewall > DoS Defense enable it and the SYN, UDP and ICMP flood options.

DoS Defence

Hope this helps.

Most routers are immune to this but no harm in some belt and braces.

Message 2 of 5
(3,054 Views)
Reply
LODGIE_
Newbie
Posts: 3
Registered: ‎30-08-2018

Re: Problem with Fraggle DDOS attack

‎31-08-2018 8:17 AM

Thanks for the response. All firewalls cranked to max, it's not getting through... Still getting the broadcast packets every 10 sec though. Waiting for a change of attack type now.

Message 3 of 5
(3,006 Views)
Reply
0 Thanks
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Problem with Fraggle DDOS attack

Fix

‎31-08-2018 3:56 PM

Is there a Draytek VDSL2 modem involved somewhere? Apparently UDP port 4944 is where Draytek modems broadcast their DSL stats to (this can be used by some Draytek routers to display the DSL stats of the separate modem).

Message 4 of 5
(2,983 Views)
Reply
LODGIE_
Newbie
Posts: 3
Registered: ‎30-08-2018

Re: Problem with Fraggle DDOS attack

‎31-08-2018 6:09 PM

Handn't considered that  yes there are two Draytek VDSL modems - what a plum I am, should have realised. Good of Draytek to record this as an DDOS.

Cheers!!!

Message 5 of 5
(2,968 Views)
Reply
0 Thanks