Solved

RDP Server Land Attack

Posted on 2014-04-07
7
1,750 Views
Last Modified: 2014-04-10
I've been receiving a few of these alert messages every other day for a week. I have a Sonicwall TZ210W firewall.

The firewall has the latest firmware and appears to be working properly.

04/07/2014 13:32:27.880 - Alert - Intrusion Prevention - Land attack dropped -       x.x.x.x, 11, X1 - x.x.x.x, 11 -

Any idea where to start?
0
Comment
Question by:Tony Giangreco
  • 4
  • 3
7 Comments
 
LVL 7

Accepted Solution

by:
Lee Ingalls earned 500 total points
Comment Utility
I have the same Sonicwall TZ210...

A dropped event is a service that is denied entry into the SonicWALL because it
violates configured or default security policies. No response is returned to the sender of the  event.

"Land Attack Dropped - The SonciWALL has detected and blocked SYN packets whose
source IP addresses are spoofed to be the same as the destination IP addresses".

Review:
Firewall Service Objects
Security Services - Intrusion Prevention - IPS Policies

Are you doing VoIP?
0
 
LVL 25

Author Comment

by:Tony Giangreco
Comment Utility
So if this starts happening constantly, I'd assume we are having a Doss attack. if not, it's just something to ignore since we don't have an origination IP. Correct?
0
 
LVL 7

Expert Comment

by:Lee Ingalls
Comment Utility
It's dropping the event without response to the originating sender. I'd say monitor and report to your Service Provider should it persist... since you'd prefer not to have that traffic at all.

I was having similar for a period of time and said something to my provider near contract renewal time and haven't seen them since.

Are you using RDP or Terminal Services through your firewall?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 25

Author Comment

by:Tony Giangreco
Comment Utility
Yes, we have five servers. 3-DC, 1 Exchange and 1 RDP/Terminal Server
0
 
LVL 7

Expert Comment

by:Lee Ingalls
Comment Utility
Make sure it's not a mis-configured or unstable RDP/TS client causing the SYN packet flood; otherwise it's most likely not a targeted DOS but rather random probing on your service providers subnet looking for unpatched MS RDP vulnerabilities.

"Your Sonicwall is stopping it at your front door; but your service provider can keep it from walking up your driveway."
0
 
LVL 25

Author Comment

by:Tony Giangreco
Comment Utility
Ok, the RDP server is a Windows 2008 r2 and all Microsoft updates have been applied to it. it' running Symantec Endpoint Protection and we have the RDP port changed so it is not a standard port that's being used.

Do you have any other suggestions that I should look into?
0
 
LVL 25

Author Comment

by:Tony Giangreco
Comment Utility
I contacted Sonicwall support. The firewall is dropping this traffic as it's designed to do. If it continues, I'll need to contact the ISP and see if they can block it from their side.

Thanks for the info.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now