Land attack on PIX 6.3

Unanswered Question
Aug 12th, 2008

Hi,

I'm seeing a lot of "DENIED LAND ATTACK" messages coming from a PIX 515 v.6.3 on my CS-MARS console. I'm not a PIX expert, but couldn't spot anything.

It must have something to do with the NAT (Internet searches have pointed my to such things as DNS Doctoring and Hairpinning) implemented. I've attached both a partial config and a sample of the messages taken from the CSMARS.

The IP 3.3.3.116 is the IP used to hide the internal network addresses (2.0.0.0/8) on the Internet.

All help is appreciated.

Joe

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Tue, 08/12/2008 - 11:09

I don't see this statement reflected in your configs?

"The IP 3.3.3.116 is the IP used to hide the internal network addresses (2.0.0.0/8) on the Internet. "?

Regards

Farrukh

joe.favia Tue, 06/09/2009 - 02:26

Sorry, I posted the wrong file, the correct one is here. The address I'm finding in the LAND ATTACK message is 21.1.139.116.

I'm having the same problem again. Thanks for your help.

Cheers,

joe

Attachment: 
Kureli Sankar Tue, 06/09/2009 - 03:22

A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port.

With that said, to find the source mac of this attack we really need to capture on the interfaces on the PIX.

access-l test permit ip host 21.1.139.116 any

access-l test permit ip any host 21.1.139.116

cap capin access-l test int inside

cap capout access-l test int outside

When the problem happens you need to apply these captures and find the source mac for these attack packets.

If you are unsure or or not comfortable with these commands, it is better to open a tac case.

to clear captures and collect fresh packets you can do

clear cap capin

clear cap capout

to remove them completely issue

no cap capin

no cap capout

Good luck.

sachinraja Wed, 06/17/2009 - 07:27

Will we be able to see the MAC address of the host with the cap command ? I have similar problem here.. if cap command can show me the source mac, i think i dont need to run a sniffer , spanning the inside interface of the FW.. The attack seems to be from sniffed IP 0.1.0.5 !

Raj

Actions

This Discussion