Here is the discussion about the Land attack and its related troubleshooting info.

What is Land attack?
A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port.

How do you troubleshoot ?

Error Message %PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to
IP_address

Explanation The security appliance received a packet with the IP source address equal
to the IP destination, and the destination port equal to the source port. This message
indicates a spoofed packet that is designed to attack systems. This attack is referred to
as a Land Attack.

Recommended Action If this message persists, an attack may be in progress. The packet
does not provide enough information to determine where the attack originates.

Step 1: You need to find out the packet flow
Step 2: In order to fetch the packet flow, please capture the pcap in all the interfaces (it will give lot of information including mac address)
Step 3: If you have a firewall deployed between the source and destinations, they its already blocked. However it will display in the logs as blocked often
Step 4: If you see the Public IP, it may get statically natted somewhere. so please try removing the static entry and observe the logs (this is workaround)
Step 5: You can execute the shun command in the firewall (if cisco) to tell the device to discard the packet from processing.

References
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml
http://www.cisco.com/warp/public/707/cisco-sa-19971121-land.shtml
http://insecure.org/sploits/land.ip.DOS.html

We are done..!!

Let’s meet in another topic

Advertisements