Fraggle Attack Enterasys S4

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
I am getting these HostDos Attack ( fraggle ) detected on vlan.0.x (tons of different vlans).  Is this something to be worried about?  I can't track it down to a source.  They are coming in roughly 24 per second.  They look like this:

Oct 26 16:06:40 10.0.1.1 HostDoS[6] Attack ( fraggle ) detected on vlan.0.56 [ InPort(lag.0.8) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(18:A9:05:F2:49:D9) C-TAG(8100:0038) ETYPE(0800) SIP(10.5.6.31) DIP(10.5.6.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]
Oct 26 16:06:33 10.0.1.1 HostDoS[2] Attack ( fraggle ) detected on vlan.0.53 [ InPort(lag.0.6) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(2C:44:FD:64:1C:41) C-TAG(8100:0035) ETYPE(0800) SIP(10.5.3.41) DIP(10.5.3.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]
Oct 26 16:06:33 10.0.1.1 HostDoS[2] Attack ( fraggle ) detected on vlan.0.700 [ InPort(lag.0.2) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(00:50:56:95:7E:5C) C-TAG(8100:02BC) ETYPE(0800) SIP(10.6.49.29) DIP(10.6.49.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Christoph

Christoph

  • 1,862 Points 1k badge 2x thumb
It could be a DoS attack of NetBIOS because it's send to all host in your subnet. It could crash very old Windows Systems because their NetBIOS service can become frozen.
(Edited)
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,772 Points 2k badge 2x thumb
Jeremy,
Tracking down the end systems can take some time but the message includes clues to help.
SA(18:A9:05:F2:49:D9) C-TAG(8100:0038) ETYPE(0800) SIP(10.5.6.31) The host in this one has an IP of 10.5.6.31 with a Macadress of 18:A9:05:F2:49:D9 on vlan 56. 
It is likely an older microsoft OS though DoS attack is a possibility. The host of the switch is hardened against these.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
I am seeing these messages for every single vlan.  99.99% of computers are windows 7.1 or newer etc.  I can find the source computer, but doing a packet capture doesn't show me anything interesting.  Virus scan etc shows nothing. 
Photo of Christoph

Christoph

  • 1,862 Points 1k badge 2x thumb
What happens if you disconnect the suspicious host(s)?

With the command
show mac address xx:xx:xx:xx:xx:xx
on the switch(s) behind the corresponding LAG(s) you can identify the host port(s).