|
Possible Fraggle attack initiated |
|
|
|
| FAQ | |||
|
|
SummaryThis is not an attack against your system. Instead, it may be an attempt to "bounce" traffic off your system in order to overload someone else's Internet connection. This alert also triggers from discovery programs who try to map out the network, so it may be from somebody trying to find all his/her virtual cyberspace neighbors.
Details: Mapping
The Internet supports a feature known as "broadcasts". This allows someone to send a single "packet" to hundreds of computers on a "subnet".
The intended purpose of broadcasts is to make discovery easier. It allows your machine to announce itself to your neighbors, and it allows people scanning the network to easily find other machines.
For example, consider how sonar works. A submarine sends out a high-pitched beep (or ping), and the echoes bounce off nearby objects. In this way, a submarine can map its surroundings. In much the same way, a machine can send out an "echo" packet to an entire subnet in order to map it.
A typical example is someone on a cable-modem segment. Many people will run programs to send out these echoes, and retrieve a list of everyone who has their machines turned on. There are several types of mapping programs that will do this.
The intrusion-detection engine considers this mapping process to be an issue of concern. In much the same way that you don't want neighbors peeping in your windows to see if you are home, you may not want virtual neighbors in cyberspace pinging you to see if your machine is alive.
Details: fraggle
The above mapping process can be abused in a special attack known as "fraggle". The attacker isn't trying to attack you, but instead is using a feature known as "spoofing" to attack some third party.
The way it works is that the attacker pretends to be the victim and sends out these echo packets to a subnet. Everyone (whose machine is on and so configured) will respond back to the victim. All the victim sees is that everyone from a subnet is flooding him/her with numerous echo responses.
This attack was common during the Kosovo crisis. Pro-Serbian hackers would send out these echos to many places on the Internet, spoofing U.S. and NATO sites. These sites where then overloaded with all the responses, taking the sites off line.
When the intrusion-detection engine triggers from this alert, it may be due to somebody using your network neighborhood as a staging point for these attacks.
Defense
The firewall subsystem blocks these incoming packets by default (when set to "Cautious"). If they are being used for discovery purposes, the person will not find your machine on the subnet. If they are being used to trigger floods against someone, your machine will not participate in the flood.
Cable-modem and DSL
Cable-modems and DSL lines are often placed in a common "broadcast domain" with thousands of other users. There is a good chance that one of these users will be running a discovery program in the background. If you don't want to see the alert in the future, please see Knowledge Base article q000050 for more information. This will cause the intrusion-detection engine to ignore the alert, but this configuration will have no effect on blocking of the packets.
Echo packets
Many packets can be sent at a machine in order to trigger echoes. These include:
- ICMP Echo
- Used in the standard 'ping' command. Also used in the smurf attack, which is similar to fraggle.
- UDP Echo
- The UDP echo port, which reflects traffic back to the sender. This is the primary packet used in fraggle.
- chargen
- Returns random traffic back to the sender
- daytime
- Returns the current time back to the sender.
- quotd
- Returns a "quote of the day" or "fortune cookie" back to the sender.
| more information |
|
| ||||
| |||||
Version appeared: 1.8.5.5