Solved

land attack

Posted on 2006-06-22
3
805 Views
Last Modified: 2008-01-16
i see an impossible ip packet alert being triggered on the cisco ips sensors.  the traffic is from and to one of the domain controllers on udp port 138.  this may be indicative of land attack but it is happening on a couple of servers.  also, the servers are properly patched and nothing malacious was detected on the servers.  the other servers are not DCs.

does anyone know more about this?

thanks,
netgeek
0
Comment
Question by:net-geek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 50 total points
ID: 16963164
There are false positives with most IDS and IPS systems, but this error has occured with Snort IDS sig's in the past
http://www.snort.org/archive-3-1767.html
http://support.microsoft.com/kb/188001

They could be spoofed, if possible, install wireshark (formerly ethereal) on the pc's in question and see if they are actaully sending that data, or span the port of these pc's to a sniffer to see if they are infact comming from that pc.
The LAND attack is a variation on the SYN attack. In the LAND attack, instead of sending
SYN packets with IP addresses that do not exist, the flood of SYN packets all have the same
spoof IP address—that of the targeted computer. The LAND attack can be prevented by filtering
out incoming packets for which source IP addresses appear to be from computers on the internal
network
-rich
0
 

Author Comment

by:net-geek
ID: 17003679
ok, thanks.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17005173
Were you able to confirm that the traffic was definatly comming from the source that your IDS said it was? Just curious.
-rich
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month11 days, 12 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question