cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
0
Helpful
4
Replies

Land attack on PIX 6.3

joe.favia
Level 1
Level 1

Hi,

I'm seeing a lot of "DENIED LAND ATTACK" messages coming from a PIX 515 v.6.3 on my CS-MARS console. I'm not a PIX expert, but couldn't spot anything.

It must have something to do with the NAT (Internet searches have pointed my to such things as DNS Doctoring and Hairpinning) implemented. I've attached both a partial config and a sample of the messages taken from the CSMARS.

The IP 3.3.3.116 is the IP used to hide the internal network addresses (2.0.0.0/8) on the Internet.

All help is appreciated.

Joe

4 Replies 4

Farrukh Haroon
VIP Alumni
VIP Alumni

I don't see this statement reflected in your configs?

"The IP 3.3.3.116 is the IP used to hide the internal network addresses (2.0.0.0/8) on the Internet. "?

Regards

Farrukh

joe.favia
Level 1
Level 1

Sorry, I posted the wrong file, the correct one is here. The address I'm finding in the LAND ATTACK message is 21.1.139.116.

I'm having the same problem again. Thanks for your help.

Cheers,

joe

A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port.

With that said, to find the source mac of this attack we really need to capture on the interfaces on the PIX.

access-l test permit ip host 21.1.139.116 any

access-l test permit ip any host 21.1.139.116

cap capin access-l test int inside

cap capout access-l test int outside

When the problem happens you need to apply these captures and find the source mac for these attack packets.

If you are unsure or or not comfortable with these commands, it is better to open a tac case.

to clear captures and collect fresh packets you can do

clear cap capin

clear cap capout

to remove them completely issue

no cap capin

no cap capout

Good luck.

Will we be able to see the MAC address of the host with the cap command ? I have similar problem here.. if cap command can show me the source mac, i think i dont need to run a sniffer , spanning the inside interface of the FW.. The attack seems to be from sniffed IP 0.1.0.5 !

Raj

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: