RDP Server Land Attack

Posted on 2014-04-07
Last Modified: 2014-04-10
I've been receiving a few of these alert messages every other day for a week. I have a Sonicwall TZ210W firewall.

The firewall has the latest firmware and appears to be working properly.

04/07/2014 13:32:27.880 - Alert - Intrusion Prevention - Land attack dropped -       x.x.x.x, 11, X1 - x.x.x.x, 11 -

Any idea where to start?
Question by:Tony Giangreco
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3

Accepted Solution

Lee Ingalls earned 500 total points
ID: 39984107
I have the same Sonicwall TZ210...

A dropped event is a service that is denied entry into the SonicWALL because it
violates configured or default security policies. No response is returned to the sender of the  event.

"Land Attack Dropped - The SonciWALL has detected and blocked SYN packets whose
source IP addresses are spoofed to be the same as the destination IP addresses".

Firewall Service Objects
Security Services - Intrusion Prevention - IPS Policies

Are you doing VoIP?
LVL 25

Author Comment

by:Tony Giangreco
ID: 39984120
So if this starts happening constantly, I'd assume we are having a Doss attack. if not, it's just something to ignore since we don't have an origination IP. Correct?

Expert Comment

by:Lee Ingalls
ID: 39984139
It's dropping the event without response to the originating sender. I'd say monitor and report to your Service Provider should it persist... since you'd prefer not to have that traffic at all.

I was having similar for a period of time and said something to my provider near contract renewal time and haven't seen them since.

Are you using RDP or Terminal Services through your firewall?
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

LVL 25

Author Comment

by:Tony Giangreco
ID: 39984150
Yes, we have five servers. 3-DC, 1 Exchange and 1 RDP/Terminal Server

Expert Comment

by:Lee Ingalls
ID: 39984185
Make sure it's not a mis-configured or unstable RDP/TS client causing the SYN packet flood; otherwise it's most likely not a targeted DOS but rather random probing on your service providers subnet looking for unpatched MS RDP vulnerabilities.

"Your Sonicwall is stopping it at your front door; but your service provider can keep it from walking up your driveway."
LVL 25

Author Comment

by:Tony Giangreco
ID: 39984244
Ok, the RDP server is a Windows 2008 r2 and all Microsoft updates have been applied to it. it' running Symantec Endpoint Protection and we have the RDP port changed so it is not a standard port that's being used.

Do you have any other suggestions that I should look into?
LVL 25

Author Comment

by:Tony Giangreco
ID: 39991399
I contacted Sonicwall support. The firewall is dropping this traffic as it's designed to do. If it continues, I'll need to contact the ISP and see if they can block it from their side.

Thanks for the info.

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question