Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Land attack on PIX 6.3


I'm seeing a lot of "DENIED LAND ATTACK" messages coming from a PIX 515 v.6.3 on my CS-MARS console. I'm not a PIX expert, but couldn't spot anything.

It must have something to do with the NAT (Internet searches have pointed my to such things as DNS Doctoring and Hairpinning) implemented. I've attached both a partial config and a sample of the messages taken from the CSMARS.

The IP is the IP used to hide the internal network addresses ( on the Internet.

All help is appreciated.



Re: Land attack on PIX 6.3

I don't see this statement reflected in your configs?

"The IP is the IP used to hide the internal network addresses ( on the Internet. "?



New Member

Re: Land attack on PIX 6.3

Sorry, I posted the wrong file, the correct one is here. The address I'm finding in the LAND ATTACK message is

I'm having the same problem again. Thanks for your help.



Cisco Employee

Re: Land attack on PIX 6.3

A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port.

With that said, to find the source mac of this attack we really need to capture on the interfaces on the PIX.

access-l test permit ip host any

access-l test permit ip any host

cap capin access-l test int inside

cap capout access-l test int outside

When the problem happens you need to apply these captures and find the source mac for these attack packets.

If you are unsure or or not comfortable with these commands, it is better to open a tac case.

to clear captures and collect fresh packets you can do

clear cap capin

clear cap capout

to remove them completely issue

no cap capin

no cap capout

Good luck.

Re: Land attack on PIX 6.3

Will we be able to see the MAC address of the host with the cap command ? I have similar problem here.. if cap command can show me the source mac, i think i dont need to run a sniffer , spanning the inside interface of the FW.. The attack seems to be from sniffed IP !