https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9353#M381 Jose, this really is something we need to open a trouble ticket for. Can you please email me your company/contact information? troussea@enterasys.com. Wed, 16 Oct 2013 05:33:00 GMT Tamera_Rousseau 2013-10-16T05:33:00Z https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9348#M376 How to prevent an attack fraggle in my switchin with Enterasys infrastructure? and above all, how to detect the source of these attacks? Tue, 15 Oct 2013 20:19:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9348#M376 Jose_Estrada 2013-10-15T20:19:00Z https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9349#M377 Anyone who can help me? Tue, 15 Oct 2013 21:54:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9349#M377 Jose_Estrada 2013-10-15T21:54:00Z https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9350#M378 Hi Jose. I am sending this question over to our support group for some guidance. If there is any other details you can give, that would be greatly appreciated. Thank you! Wed, 16 Oct 2013 00:52:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9350#M378 Tamera_Rousseau 2013-10-16T00:52:00Z https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9351#M379 this is the output in the command : show logging buffer <165>Oct 14 19:41:58 172.31.0.62 HostDoS[2] Attack ( fraggle ) detected on vlan.0.28 [ InPort(ge.2.20) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(6C:F0:49:E2:F6:19) C-TAG(8100:001C) ETYPE(0800) SIP(172.31.2.20) DIP(172.31.2.31) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ] <165>Oct 14 19:42:01 172.31.0.62 HostDoS[2] Attack ( fraggle ) detected on vlan.0.13 [ InPort(ge.2.20) LEN(90) DA(FF:FF:FF:FF:FF:FF) SA(20:CF:30:61:ED:03) C-TAG(8100:000D) ETYPE(0800) SIP(172.31.2.70) DIP(172.31.2.79) VER(4) HLEN(5) TOTALLEN(68) PROTO(17) TOS(0) TTL(128) UDP_DST(1947) UDP_SRC(54737) ] this output is repeated on several occasions Wed, 16 Oct 2013 01:08:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9351#M379 Jose_Estrada 2013-10-16T01:08:00Z https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9352#M380 Support-> show hostdos stats HostDos is globally Enabled --------------------------------------------------------------------- Threat Ena Violation Last Occurrence ble Log Count Port VLAN Date and Time --------------------------------------------------------------------- arpNd Y Y 0 N/A N/A N/A badSIP Y Y 0 N/A N/A N/A fraggle Y Y 4336 ge.2.20 13 2013-10-14 20:15:42 icmpFlood Y Y 0 N/A N/A N/A icmpFrag Y Y 0 N/A N/A N/A icmpSize N Y 0 N/A N/A N/A lanD Y Y 0 N/A N/A N/A portScan N Y 0 N/A N/A N/A smurf Y Y 0 N/A N/A N/A spoof Y Y 0 N/A N/A N/A synFlood Y Y 0 N/A N/A N/A xmasTree Y Y 0 N/A N/A N/A Wed, 16 Oct 2013 02:10:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9352#M380 Jose_Estrada 2013-10-16T02:10:00Z https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9353#M381 Jose, this really is something we need to open a trouble ticket for. Can you please email me your company/contact information? troussea@enterasys.com. Wed, 16 Oct 2013 05:33:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9353#M381 Tamera_Rousseau 2013-10-16T05:33:00Z https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9354#M382 Jose, Good day, I hope you are well. The GTAC would like to open a case with you on this. Please send me your contact information so we can open a case. Once the GTAC case has concluded we will post the appropriate conclusion in theHUB for all to see. I can be contacted at btownsen@enterasys.com Thank you Brian Townsend Wed, 16 Oct 2013 17:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9354#M382 Brian_Townsend 2013-10-16T17:21:00Z https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9355#M383 Jose, from the data that you have provided I can state the following. The router output you attached tells us that we are dropping the data that appears to be be suspect and are not forwarding it any further. There is lots of room for false positive with some applications that are used that use some form of virtual addressing (typically servers), but the issue should be investigated further of course to ensure that your network is in healthy condition. Please engage the GTAC via Brian and we can assist you in further understanding and remediating the issue. If we have any further informative results from the investigation, we will post them to the community hub. Wed, 16 Oct 2013 23:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/fraggle-attack-mitigation/m-p/9355#M383 Mike_Thomas 2013-10-16T23:21:00Z