fraggle attack mitigation.

  • 15 October 2013
  • 9 replies
  • 243 views

How to prevent an attack fraggle in my switchin with Enterasys infrastructure? and above all, how to detect the source of these attacks?

9 replies

Anyone who can help me?
Userlevel 2
Hi Jose. I am sending this question over to our support group for some guidance. If there is any other details you can give, that would be greatly appreciated. Thank you!
this is the output in the command : show logging buffer <165>Oct 14 19:41:58 172.31.0.62 HostDoS[2] Attack ( fraggle ) detected on vlan.0.28 [ InPort(ge.2.20) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(6C:F0:49:E2:F6:19) C-TAG(8100:001C) ETYPE(0800) SIP(172.31.2.20) DIP(172.31.2.31) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ] <165>Oct 14 19:42:01 172.31.0.62 HostDoS[2] Attack ( fraggle ) detected on vlan.0.13 [ InPort(ge.2.20) LEN(90) DA(FF:FF:FF:FF:FF:FF) SA(20:CF:30:61:ED:03) C-TAG(8100:000D) ETYPE(0800) SIP(172.31.2.70) DIP(172.31.2.79) VER(4) HLEN(5) TOTALLEN(68) PROTO(17) TOS(0) TTL(128) UDP_DST(1947) UDP_SRC(54737) ] this output is repeated on several occasions
Support-> show hostdos stats HostDos is globally Enabled --------------------------------------------------------------------- Threat Ena Violation Last Occurrence ble Log Count Port VLAN Date and Time --------------------------------------------------------------------- arpNd Y Y 0 N/A N/A N/A badSIP Y Y 0 N/A N/A N/A fraggle Y Y 4336 ge.2.20 13 2013-10-14 20:15:42 icmpFlood Y Y 0 N/A N/A N/A icmpFrag Y Y 0 N/A N/A N/A icmpSize N Y 0 N/A N/A N/A lanD Y Y 0 N/A N/A N/A portScan N Y 0 N/A N/A N/A smurf Y Y 0 N/A N/A N/A spoof Y Y 0 N/A N/A N/A synFlood Y Y 0 N/A N/A N/A xmasTree Y Y 0 N/A N/A N/A
Userlevel 2
Jose, this really is something we need to open a trouble ticket for. Can you please email me your company/contact information? troussea@enterasys.com.
Userlevel 1
Jose, Good day, I hope you are well. The GTAC would like to open a case with you on this. Please send me your contact information so we can open a case. Once the GTAC case has concluded we will post the appropriate conclusion in theHUB for all to see. I can be contacted at btownsen@enterasys.com Thank you Brian Townsend
Userlevel 6
Jose, from the data that you have provided I can state the following. The router output you attached tells us that we are dropping the data that appears to be be suspect and are not forwarding it any further. There is lots of room for false positive with some applications that are used that use some form of virtual addressing (typically servers), but the issue should be investigated further of course to ensure that your network is in healthy condition. Please engage the GTAC via Brian and we can assist you in further understanding and remediating the issue. If we have any further informative results from the investigation, we will post them to the community hub.

Reply