Land Attack - ASA 5520

amarula115 · ‎01-27-2009

I am receiving hundreds of the following messages in ASA 5520 log:

"Deny IP due to Land Attack from 0.0.0.0 to 0.0.0.0"

Can it be related to another messages I am receiving in ASA5520 log which is:

"UDP request discarded from 10.80.48.246/24678 to ProdZone:255.255.255.255/24677"?

Strange thing is that IP address 10.80.48.246 doesn't exist on my network.

I am receiving such messange from many different IP addresses and none of them is used on my network.

Any ideas?

Help appreciated

Jithesh K Joy · ‎01-27-2009

Hi

It is a DoS attack.The program(known as land.c) sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination.

But ASA is not vulnerable to this attack.But please keep monitoring your network traffic.

Thanks

Jithesh

amarula115 · ‎01-27-2009

Is it possibile that these attacks are coming from infected PCs on my network? Does any antivirus detects land.c ?

Are these udp messages which I showed in my initial post relevant to the DoS

Thank you for your help. I appreciate

Jithesh K Joy · ‎01-28-2009

Yes it is possible from your inside LAN if any host is compromised. Land attack is an old virus attack and most of the Antivirus tools will help you. Those UDP logs are also a part of this attack.

Thanks