An attack on just a confused device on the LAN?

etomcat
etomcat Posts: 1,319 Superuser
in Business Security

Dear All,

What do you think about this FSCS Internet Shield pop-up warning screenshot?

My theory is, it's not a "too short datagram" hacker attack, but maybe somebody brought a new device into the school's network, which is unable to obtain an IP address from DHCP, so it gave itself an IPv6 SLAAC address (FE80:...) and is sending Simple Service Discovery Protocol multicast announcements to the Link-local sphere (target address "FF02::C") for whatever reasons.

On the other hand, this kind of traffic apparently has something to do with UPnP, so I'm a bit worried.

I think the customer could tick the box for "No longer show alert" as seen in the local UI screenshot and have the event blocked silently.

Is it a good idea to reduce the "block IP fragments shorter than" value from the default value of 128 or even enter 0 to turn it off? It was only ever necessary some years ago with GSM (mobile network) based net access, as far as I remember.

 

Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

 

*****************

 

image001.jpgScreenshot of local GUI

Like

Comments

  • Laksh
    Laksh Posts: 4,443 Former F-Secure Employee

    Hi Tamas,

     

    May I recommend to contact support regarding this case? You can provide the debug logs of Internet Shield collected at that moment (when the alert appear again) so that might shed more light on the situation.

    Like
This discussion has been closed.

Categories