This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fraggle Attack Enterasys S4

Fraggle Attack Enterasys S4

Jeremy_Gibbs
Contributor

‎10-26-2015 02:15 PM

I am getting these HostDos Attack ( fraggle ) detected on vlan.0.x (tons of different vlans). Is this something to be worried about? I can't track it down to a source. They are coming in roughly 24 per second. They look like this:

Oct 26 16:06:40 10.0.1.1 HostDoS[6] Attack ( fraggle ) detected on vlan.0.56 [ InPort(lag.0.8) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(18:A9:05:F2:49:D9) C-TAG(8100:0038) ETYPE(0800) SIP(10.5.6.31) DIP(10.5.6.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]
Oct 26 16:06:33 10.0.1.1 HostDoS[2] Attack ( fraggle ) detected on vlan.0.53 [ InPort(lag.0.6) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(2C:44:FD:64:1C:41) C-TAG(8100:0035) ETYPE(0800) SIP(10.5.3.41) DIP(10.5.3.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]
Oct 26 16:06:33 10.0.1.1 HostDoS[2] Attack ( fraggle ) detected on vlan.0.700 [ InPort(lag.0.2) LEN(100) DA(FF:FF:FF:FF:FF:FF) SA(00:50:56:95:7E:5C) C-TAG(8100:02BC) ETYPE(0800) SIP(10.6.49.29) DIP(10.6.49.255) VER(4) HLEN(5) TOTALLEN(78) PROTO(17) TOS(0) TTL(128) UDP_DST(137) UDP_SRC(137) ]
0 Kudos
4 REPLIES 4

Christoph
Contributor

‎10-30-2015 07:38 AM

What happens if you disconnect the suspicious host(s)?

With the command
show mac address xx:xx:xx:xx:xx:xxon the switch(s) behind the corresponding LAG(s) you can identify the host port(s).
0 Kudos

Jeremy_Gibbs
Contributor

‎10-29-2015 07:57 PM

I am seeing these messages for every single vlan. 99.99% of computers are windows 7.1 or newer etc. I can find the source computer, but doing a packet capture doesn't show me anything interesting. Virus scan etc shows nothing.
0 Kudos

Daniel_Coughlin
Extreme Employee

‎10-29-2015 05:04 PM

Jeremy,
Tracking down the end systems can take some time but the message includes clues to help.
SA(18:A9:05:F2:49:D9) C-TAG(8100:0038) ETYPE(0800) SIP(10.5.6.31) The host in this one has an IP of 10.5.6.31 with a Macadress of 18:A9:05:F2:49:D9 on vlan 56.
It is likely an older microsoft OS though DoS attack is a possibility. The host of the switch is hardened against these.

0 Kudos

Christoph
Contributor

‎10-26-2015 03:48 PM

It could be a DoS attack of NetBIOS because it's send to all host in your subnet. It could crash very old Windows Systems because their NetBIOS service can become frozen.
0 Kudos
GTM-P2G8KFN