01-27-2009 09:53 PM - edited 03-11-2019 07:42 AM
I am receiving hundreds of the following messages in ASA 5520 log:
"Deny IP due to Land Attack from 0.0.0.0 to 0.0.0.0"
Can it be related to another messages I am receiving in ASA5520 log which is:
"UDP request discarded from 10.80.48.246/24678 to ProdZone:255.255.255.255/24677"?
Strange thing is that IP address 10.80.48.246 doesn't exist on my network.
I am receiving such messange from many different IP addresses and none of them is used on my network.
Any ideas?
Help appreciated
01-27-2009 10:09 PM
Hi
It is a DoS attack.The program(known as land.c) sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination.
But ASA is not vulnerable to this attack.But please keep monitoring your network traffic.
Thanks
Jithesh
01-27-2009 10:37 PM
Is it possibile that these attacks are coming from infected PCs on my network? Does any antivirus detects land.c ?
Are these udp messages which I showed in my initial post relevant to the DoS
Thank you for your help. I appreciate
01-28-2009 01:06 AM
Yes it is possible from your inside LAN if any host is compromised. Land attack is an old virus attack and most of the Antivirus tools will help you. Those UDP logs are also a part of this attack.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide