Tony Giangreco
asked on
RDP Server Land Attack
I've been receiving a few of these alert messages every other day for a week. I have a Sonicwall TZ210W firewall.
The firewall has the latest firmware and appears to be working properly.
04/07/2014 13:32:27.880 - Alert - Intrusion Prevention - Land attack dropped - x.x.x.x, 11, X1 - x.x.x.x, 11 -
Any idea where to start?
The firewall has the latest firmware and appears to be working properly.
04/07/2014 13:32:27.880 - Alert - Intrusion Prevention - Land attack dropped - x.x.x.x, 11, X1 - x.x.x.x, 11 -
Any idea where to start?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's dropping the event without response to the originating sender. I'd say monitor and report to your Service Provider should it persist... since you'd prefer not to have that traffic at all.
I was having similar for a period of time and said something to my provider near contract renewal time and haven't seen them since.
Are you using RDP or Terminal Services through your firewall?
I was having similar for a period of time and said something to my provider near contract renewal time and haven't seen them since.
Are you using RDP or Terminal Services through your firewall?
ASKER
Yes, we have five servers. 3-DC, 1 Exchange and 1 RDP/Terminal Server
Make sure it's not a mis-configured or unstable RDP/TS client causing the SYN packet flood; otherwise it's most likely not a targeted DOS but rather random probing on your service providers subnet looking for unpatched MS RDP vulnerabilities.
"Your Sonicwall is stopping it at your front door; but your service provider can keep it from walking up your driveway."
"Your Sonicwall is stopping it at your front door; but your service provider can keep it from walking up your driveway."
ASKER
Ok, the RDP server is a Windows 2008 r2 and all Microsoft updates have been applied to it. it' running Symantec Endpoint Protection and we have the RDP port changed so it is not a standard port that's being used.
Do you have any other suggestions that I should look into?
Do you have any other suggestions that I should look into?
ASKER
I contacted Sonicwall support. The firewall is dropping this traffic as it's designed to do. If it continues, I'll need to contact the ISP and see if they can block it from their side.
Thanks for the info.
Thanks for the info.
ASKER