DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

ISP DHCP Seen as Fraggle Attack - Firewall Rules to Ignore

  • markcub
  • Topic Author
  • Offline
  • New Member
  • New Member
More
17 Aug 2011 15:18 #69064 by markcub
Hello guys,

I have a DrayTek Vigior 2110n, and I think it is great :-)

I recently turned on all the DoS Defense in the firewall, and it has caused me a couple of problems.

Firstly, my Vodafone SureSignal (femtocell) traffic was at least once a day being incorrectly fingered as a UDP flood attack. The resultant defense was causing all sorts of issues with my Internet connection. I created a set of IP Objects for the Vodafone servers, and a Service Objects with the ports etc., created a Data Filter, and all runs fine. The DoS defenses no longer label the femtocall traffic as an attack and my Internet connection remains steady - wahey.

The second mislabelling I am having with the DoS is a my ISP (Virgin Media) sending out DHCP information over broadcast (255.255.255.255). The DoS is seeing this as a fraggle attack. This is filling my syslog up with loads of rubbish. So I thought, well, I'll create a rule like I did for the Vodafone SureSignal, and I'll just get it to ignore it and not log.

I cannot for the life of me get it to work. I create the IP Object with the IP address of the DHCP server that is spamming 255.255.255.255, I create a service object that shows it coming from port 67 -> 68 UDP (as shown in the fraggle attack message), and it does not work.

I *think* it is because when I create the Data Filter entry, it forces to me say that the traffic is coming from WAN -> LAN... but I don't think it is seeing this DHCP broadcast as doing that.. but there is no way for the filter to say ANY for the direction.

Does anyone have any ideas how I could go about this?

Kind regards,
Mark.

Please Log in or Create an account to join the conversation.

  • markcub
  • Topic Author
  • Offline
  • New Member
  • New Member
More
22 Aug 2011 11:13 #69109 by markcub
Hi guys,

It seems no-one has an answer for this? :-)

Oh well, I'll send in an support email and see if I can get it sorted that way. I'll report back here so everyone can (hopefully) see the solution.

Thanks a lot,
Mark.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami