Reply

Fraggle attack every 10 seconds from spource UNKNOW

Scorpio123
Guide

Fraggle attack every 10 seconds from spource UNKNOW

I haven't seen any posts specifically for this.

 

My R8000P router which is connected to a Draytek Vigor 130 modem gets these messages every 10 seconds from source UNKNOW and a random port.

 

[DoS attack: Fraggle Attack] from source UNKNOW,port 35940 Monday, Aug 23,2021 13:51:30

[DoS attack: Fraggle Attack] from source UNKNOW,port 35863 Monday, Aug 23,2021 13:51:20

[DoS attack: Fraggle Attack] from source UNKNOW,port 35795 Monday, Aug 23,2021 13:51:10

[DoS attack: Fraggle Attack] from source UNKNOW,port 35736 Monday, Aug 23,2021 13:51:00

[DoS attack: Fraggle Attack] from source UNKNOW,port 35686 Monday, Aug 23,2021 13:50:50

...................

 

Is there any way of finding what the source of these is in case it is actually something on my internal network I can fix.

 

Thank you.

 

 

John.

Model: R8000P|Nighthawk X6S AC4000 Tri Band WiFi Router
Message 1 of 2
Scorpio123
Guide

Re: Fraggle attack every 10 seconds from source UNKNOW

After further investigation, I seem to have fixed this problem.

 

My Router is connected to a Draytek Vigor 130 modem.

 

https://www.draytek.co.uk/support/guides/kb-vigor-130-dsl-status#modem-configuration

shows :-

 

The DrayTek Vigor 130 and Vigor 120v2 modems send DSL Information to the router by default.

The DSL information is sent as a UDP broadcast packet on port 4944. If this isn't required, it can be disabled from the [System Maintenance] > [Management] page of the modem's web interrface, by disabling the Broadcast DSL status to router option:

 

This happens every 10 seconds. For some reason the port is being reported as UNKNOW by the Netgear router.

If you untick the Device Management option (see below) then the fraggle attacks every 10 seconds stop.

However, this has now been replaced by a new repeating fraggle attack every 2 minutes and five seconds :-

 

[DoS attack: Fraggle Attack] from source UNKNOW,port 443 Thursday, Aug 26,2021 18:46:05
[DoS attack: Fraggle Attack] from source UNKNOW,port 443 Thursday, Aug 26,2021 18:44:00
[DoS attack: Fraggle Attack] from source UNKNOW,port 443 Thursday, Aug 26,2021 18:41:55
[DoS attack: Fraggle Attack] from source UNKNOW,port 443 Thursday, Aug 26,2021 18:39:50

........

 

although initially after the router was rebooted, port 68 was reported :-

 

[DoS attack: Fraggle Attack] from source UNKNOW,port 68 Thursday, Aug 26,2021 16:43:10
[DoS attack: Fraggle Attack] from source UNKNOW,port 68 Thursday, Aug 26,2021 16:41:05
[DoS attack: Fraggle Attack] from source UNKNOW,port 68 Thursday, Aug 26,2021 16:39:00
[DoS attack: Fraggle Attack] from source UNKNOW,port 68 Thursday, Aug 26,2021 16:36:55
........

There were 11 of the port 68 entries. Supposedly DHCP related so this could fit with devices on the network reaquiring IP addresses.

 

Port 443 is for HTTPS but without a source difficult to say where these are coming from and why every 2 minutes and 5 seconds .............

 

I also enabled the DOS attack features on the Vigor 130 modem so that should be filtering them before the router???

 

I have installed Wireshark so will see if that throws up any correlations with the events ..................

 

 

 

remotedsl2.png

Message 2 of 2
Top Contributors
Discussion stats
  • 1 reply
  • 112 views
  • 0 kudos
  • 1 in conversation
Announcements

Orbi WiFi 6E