cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
579
Views
0
Helpful
2
Replies

pix how to NOT block the LAND ATTACK

ROBERTO TACCON
Level 4
Level 4

Hi to All,

how can I configure a pix Version 8.0(4) to NOT block the LAND ATTACK ?

pix# sh log | i 17.12.18.24

Oct 07 2010 15:47:31: %PIX-2-106017: Deny IP due to Land Attack from 17.12.18.24 to 17.12.18.24

Oct 07 2010 15:47:31: %PIX-6-302014: Teardown TCP connection 1264706965 for outside:17.12.18.24/80 to inside:10.12.40.114/59790 duration 0:00:00 bytes 0 looping-address

I've already disable the signature 1102

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1102&signatureSubId=0&softwareVersion=6.0&releaseVersion=S473

pix# sh run | i audit

ip audit signature 1102 disable

pix#

but the drop continue ....

pix# sh log | i 17.12.18.24

Oct 07 2010 15:50:22: %PIX-2-106017: Deny IP due to Land Attack from 17.12.18.24 to 17.12.18.24

Oct 07 2010 15:50:22: %PIX-6-302014: Teardown TCP connection 1264706965 for outside:17.12.18.24/80 to inside:10.12.40.114/59891 duration 0:00:00 bytes 0 looping-address

Thanks

Roberto Taccon

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Roberto,


Can you please attach a show tech and sniffer trace of this traffic? Is it only this one host reporting problem (source or destination).

Those can be cuased by misconfig ... or bugs ...

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd99542

Marcin

Panos Kampanakis
Cisco Employee
Cisco Employee

Roberto,

The Land attack drops unfortunately cannot be blocked. The are in the basic L3 checks the firewall does and you can stop them.

But I don't see a reason why you would want to allow these packets.

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: