NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Scorpio123's avatar
Scorpio123
Apprentice
Aug 25, 2021

Fraggle attack every 10 seconds from spource UNKNOW

I haven't seen any posts specifically for this.

 

My R8000P router which is connected to a Draytek Vigor 130 modem gets these messages every 10 seconds from source UNKNOW and a random port.

 

[DoS attack: Fraggle Attack] from source UNKNOW,port 35940 Monday, Aug 23,2021 13:51:30

[DoS attack: Fraggle Attack] from source UNKNOW,port 35863 Monday, Aug 23,2021 13:51:20

[DoS attack: Fraggle Attack] from source UNKNOW,port 35795 Monday, Aug 23,2021 13:51:10

[DoS attack: Fraggle Attack] from source UNKNOW,port 35736 Monday, Aug 23,2021 13:51:00

[DoS attack: Fraggle Attack] from source UNKNOW,port 35686 Monday, Aug 23,2021 13:50:50

...................

 

Is there any way of finding what the source of these is in case it is actually something on my internal network I can fix.

 

Thank you.

 

 

John.

1 Reply

  • Scorpio123's avatar
    Scorpio123
    Apprentice
    Aug 26, 2021

    After further investigation, I seem to have fixed this problem.

     

    My Router is connected to a Draytek Vigor 130 modem.

     

    https://www.draytek.co.uk/support/guides/kb-vigor-130-dsl-status#modem-configuration

    shows :-

     

    The DrayTek Vigor 130 and Vigor 120v2 modems send DSL Information to the router by default.

    The DSL information is sent as a UDP broadcast packet on port 4944. If this isn't required, it can be disabled from the [System Maintenance] > [Management] page of the modem's web interrface, by disabling the Broadcast DSL status to router option:

     

    This happens every 10 seconds. For some reason the port is being reported as UNKNOW by the Netgear router.

    If you untick the Device Management option (see below) then the fraggle attacks every 10 seconds stop.

    However, this has now been replaced by a new repeating fraggle attack every 2 minutes and five seconds :-

     

    [DoS attack: Fraggle Attack] from source UNKNOW,port 443 Thursday, Aug 26,2021 18:46:05
    [DoS attack: Fraggle Attack] from source UNKNOW,port 443 Thursday, Aug 26,2021 18:44:00
    [DoS attack: Fraggle Attack] from source UNKNOW,port 443 Thursday, Aug 26,2021 18:41:55
    [DoS attack: Fraggle Attack] from source UNKNOW,port 443 Thursday, Aug 26,2021 18:39:50

    ........

     

    although initially after the router was rebooted, port 68 was reported :-

     

    [DoS attack: Fraggle Attack] from source UNKNOW,port 68 Thursday, Aug 26,2021 16:43:10
    [DoS attack: Fraggle Attack] from source UNKNOW,port 68 Thursday, Aug 26,2021 16:41:05
    [DoS attack: Fraggle Attack] from source UNKNOW,port 68 Thursday, Aug 26,2021 16:39:00
    [DoS attack: Fraggle Attack] from source UNKNOW,port 68 Thursday, Aug 26,2021 16:36:55
    ........

    There were 11 of the port 68 entries. Supposedly DHCP related so this could fit with devices on the network reaquiring IP addresses.

     

    Port 443 is for HTTPS but without a source difficult to say where these are coming from and why every 2 minutes and 5 seconds .............

     

    I also enabled the DOS attack features on the Vigor 130 modem so that should be filtering them before the router???

     

    I have installed Wireshark so will see if that throws up any correlations with the events ..................