An attack on just a confused device on the LAN?

etomcatetomcat Posts: 1,318 Superuser

Dear All,

What do you think about this FSCS Internet Shield pop-up warning screenshot?

My theory is, it's not a "too short datagram" hacker attack, but maybe somebody brought a new device into the school's network, which is unable to obtain an IP address from DHCP, so it gave itself an IPv6 SLAAC address (FE80:...) and is sending Simple Service Discovery Protocol multicast announcements to the Link-local sphere (target address "FF02::C") for whatever reasons.

On the other hand, this kind of traffic apparently has something to do with UPnP, so I'm a bit worried.

I think the customer could tick the box for "No longer show alert" as seen in the local UI screenshot and have the event blocked silently.

Is it a good idea to reduce the "block IP fragments shorter than" value from the default value of 128 or even enter 0 to turn it off? It was only ever necessary some years ago with GSM (mobile network) based net access, as far as I remember.

 

Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

 

*****************

 

image001.jpgScreenshot of local GUI

Comments

  • LakshLaksh Posts: 4,432 Community Manager

    Hi Tamas,

     

    May I recommend to contact support regarding this case? You can provide the debug logs of Internet Shield collected at that moment (when the alert appear again) so that might shed more light on the situation.

This discussion has been closed.