Land Attack - ASA 5520

Unanswered Question
Jan 27th, 2009
User Badges:

I am receiving hundreds of the following messages in ASA 5520 log:

"Deny IP due to Land Attack from 0.0.0.0 to 0.0.0.0"


Can it be related to another messages I am receiving in ASA5520 log which is:

"UDP request discarded from 10.80.48.246/24678 to ProdZone:255.255.255.255/24677"?


Strange thing is that IP address 10.80.48.246 doesn't exist on my network.

I am receiving such messange from many different IP addresses and none of them is used on my network.


Any ideas?

Help appreciated






Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jithesh K Joy Tue, 01/27/2009 - 22:09
User Badges:

Hi

It is a DoS attack.The program(known as land.c) sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination.

But ASA is not vulnerable to this attack.But please keep monitoring your network traffic.


Thanks

Jithesh


zbigniewkozyra Tue, 01/27/2009 - 22:37
User Badges:

Is it possibile that these attacks are coming from infected PCs on my network? Does any antivirus detects land.c ?


Are these udp messages which I showed in my initial post relevant to the DoS


Thank you for your help. I appreciate

Jithesh K Joy Wed, 01/28/2009 - 01:06
User Badges:

Yes it is possible from your inside LAN if any host is compromised. Land attack is an old virus attack and most of the Antivirus tools will help you. Those UDP logs are also a part of this attack.


Thanks

Actions

This Discussion