Land attack on PIX 6.3

Unanswered Question
Aug 12th, 2008
User Badges:


I'm seeing a lot of "DENIED LAND ATTACK" messages coming from a PIX 515 v.6.3 on my CS-MARS console. I'm not a PIX expert, but couldn't spot anything.

It must have something to do with the NAT (Internet searches have pointed my to such things as DNS Doctoring and Hairpinning) implemented. I've attached both a partial config and a sample of the messages taken from the CSMARS.

The IP is the IP used to hide the internal network addresses ( on the Internet.

All help is appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Tue, 08/12/2008 - 11:09
User Badges:
  • Red, 2250 points or more

I don't see this statement reflected in your configs?

"The IP is the IP used to hide the internal network addresses ( on the Internet. "?



joe.favia Tue, 06/09/2009 - 02:26
User Badges:

Sorry, I posted the wrong file, the correct one is here. The address I'm finding in the LAND ATTACK message is

I'm having the same problem again. Thanks for your help.



Kureli Sankar Tue, 06/09/2009 - 03:22
User Badges:
  • Cisco Employee,

A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port.

With that said, to find the source mac of this attack we really need to capture on the interfaces on the PIX.

access-l test permit ip host any

access-l test permit ip any host

cap capin access-l test int inside

cap capout access-l test int outside

When the problem happens you need to apply these captures and find the source mac for these attack packets.

If you are unsure or or not comfortable with these commands, it is better to open a tac case.

to clear captures and collect fresh packets you can do

clear cap capin

clear cap capout

to remove them completely issue

no cap capin

no cap capout

Good luck.

sachinraja Wed, 06/17/2009 - 07:27
User Badges:
  • Red, 2250 points or more

Will we be able to see the MAC address of the host with the cap command ? I have similar problem here.. if cap command can show me the source mac, i think i dont need to run a sniffer , spanning the inside interface of the FW.. The attack seems to be from sniffed IP !



This Discussion