Fraggle Attack Enterasys S4


I am getting these HostDos Attack ( fraggle ) detected on vlan.0.x (tons of different vlans). Is this something to be worried about? I can't track it down to a source. They are coming in roughly 24 per second. They look like this:

Oct 26 16:06:40 10.0.1.1 HostDoS[6] Attack ( fraggle ) detected on vlan.0.56 [ InPort(lag.0.8) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(18:A9:05:F2:49:D9) C-TAG(8100:0038) ETYPE(0800) SIP(10.5.6.31) DIP(10.5.6.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]

Oct 26 16:06:33 10.0.1.1 HostDoS[2] Attack ( fraggle ) detected on vlan.0.53 [ InPort(lag.0.6) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(2C:44:FD:64:1C:41) C-TAG(8100:0035) ETYPE(0800) SIP(10.5.3.41) DIP(10.5.3.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]
Oct 26 16:06:33 10.0.1.1 HostDoS[2] Attack ( fraggle ) detected on vlan.0.700 [ InPort(lag.0.2) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(00:50:56:95:7E:5C) C-TAG(8100:02BC) ETYPE(0800) SIP(10.6.49.29) DIP(10.6.49.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]


4 replies

Userlevel 3
It could be a DoS attack of NetBIOS because it's send to all host in your subnet. It could crash very old Windows Systems because their NetBIOS service can become frozen.
Userlevel 4
Jeremy,
Tracking down the end systems can take some time but the message includes clues to help.
SA(18:A9:05:F2:49:D9) C-TAG(8100:0038) ETYPE(0800) SIP(10.5.6.31) The host in this one has an IP of 10.5.6.31 with a Macadress of 18:A9:05:F2:49:D9 on vlan 56.
It is likely an older microsoft OS though DoS attack is a possibility. The host of the switch is hardened against these.
I am seeing these messages for every single vlan. 99.99% of computers are windows 7.1 or newer etc. I can find the source computer, but doing a packet capture doesn't show me anything interesting. Virus scan etc shows nothing.
Userlevel 3
What happens if you disconnect the suspicious host(s)?

With the command
show mac address xx:xx:xx:xx:xx:xx[/code]on the switch(s) behind the corresponding LAG(s) you can identify the host port(s).

Reply