Discussion:
Fraggle attacks ?
(too old to reply)
Tom Hall
2005-06-06 18:51:18 UTC
Permalink
Hi - (I'm new to NTL) - my router has started reporting lots of DoS
Fraggle's :

DoS fraggle Block 10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 328
DoS fraggle Block 10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 333
DoS fraggle Block 10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 334
DoS fraggle Block 10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 328

(duplicates removed)

Where / Who are these coming from - should I worry? (I've got the latest NIS
& NAV)

-Tom
Tom Hall
2005-06-06 18:57:35 UTC
Permalink
Sorry - forgot to add that my Internet access is through a cm not a stb

-Tom
Post by Tom Hall
Hi - (I'm new to NTL) - my router has started reporting lots of DoS
DoS fraggle Block 10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 328
DoS fraggle Block 10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 333
DoS fraggle Block 10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 334
DoS fraggle Block 10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 328
(duplicates removed)
Where / Who are these coming from - should I worry? (I've got the latest
NIS & NAV)
-Tom
Mark McIntyre
2005-06-06 21:56:28 UTC
Permalink
Post by Tom Hall
Hi - (I'm new to NTL) - my router has started reporting lots of DoS
Where / Who are these coming from - should I worry? (I've got the latest NIS
& NAV)
Probably impossible to say where they're coming from since the source
IP is spoofed / forged. So long as your router is blocking them (and
not responding), don't worry. I believe they're an attempt to carry
out a DOS attack on someone else.
PJ
2005-06-06 22:58:54 UTC
Permalink
Post by Mark McIntyre
Post by Tom Hall
Hi - (I'm new to NTL) - my router has started reporting lots of DoS
Where / Who are these coming from - should I worry? (I've got the latest NIS
& NAV)
Probably impossible to say where they're coming from since the source
IP is spoofed / forged. So long as your router is blocking them (and
not responding), don't worry. I believe they're an attempt to carry
out a DOS attack on someone else.
It's just background noise, until something gets through. See the thread
"NTL and Norton Personal Firewall", and don't get paranoid about it.
--
PJ
Rincewind
2005-06-06 22:45:38 UTC
Permalink
Post by Tom Hall
10.45.48.1,67 -> 255.255.255.255,68 PR udp len 20 328
Looks like it is a bootps packet(DHCP server, UDP port 67) addressing all
bootpc(DHCP client, UDP port 68) listeners on its subnet. Typically, NTL
UBRs send these out, although these usually have a final octet of 254(e.g.
10.45.48.254). If it is indeed this and not a spoofed address, then you
should allow it through your firewall.

Does the address 10.45.48.1 show up if you do a traceroute to (say)
www.google.com? If not, you probably shouldn't allow it through, although
I am not aware of any vulnerabilities in any of the DHCP clients I am
familiar with(that's not to say that there aren't any ;~)).
--
Rinso
/\
/ \
/wizz\
~~~~~~~~~~~~
Loading...