Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
4
Replies

Land attack on PIX 6.3

joe.favia
Level 1
Level 1

‎08-12-2008 08:02 AM - edited ‎03-11-2019 06:30 AM

Hi,

I'm seeing a lot of "DENIED LAND ATTACK" messages coming from a PIX 515 v.6.3 on my CS-MARS console. I'm not a PIX expert, but couldn't spot anything.

It must have something to do with the NAT (Internet searches have pointed my to such things as DNS Doctoring and Hairpinning) implemented. I've attached both a partial config and a sample of the messages taken from the CSMARS.

The IP 3.3.3.116 is the IP used to hide the internal network addresses (2.0.0.0/8) on the Internet.

All help is appreciated.

Joe

Labels:
0 Helpful
4 Replies 4

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-12-2008 11:09 AM

I don't see this statement reflected in your configs?

"The IP 3.3.3.116 is the IP used to hide the internal network addresses (2.0.0.0/8) on the Internet. "?

Regards

Farrukh

0 Helpful

joe.favia
Level 1
Level 1

‎06-09-2009 02:26 AM

Sorry, I posted the wrong file, the correct one is here. The address I'm finding in the LAND ATTACK message is 21.1.139.116.

I'm having the same problem again. Thanks for your help.

Cheers,

joe

Preview file
12 KB
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to joe.favia

‎06-09-2009 03:22 AM

A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port.

With that said, to find the source mac of this attack we really need to capture on the interfaces on the PIX.

access-l test permit ip host 21.1.139.116 any

access-l test permit ip any host 21.1.139.116

cap capin access-l test int inside

cap capout access-l test int outside

When the problem happens you need to apply these captures and find the source mac for these attack packets.

If you are unsure or or not comfortable with these commands, it is better to open a tac case.

to clear captures and collect fresh packets you can do

clear cap capin

clear cap capout

to remove them completely issue

no cap capin

no cap capout

Good luck.

0 Helpful

sachinraja
Level 9
Level 9
In response to Kureli Sankar

‎06-17-2009 07:27 AM

Will we be able to see the MAC address of the host with the cap command ? I have similar problem here.. if cap command can show me the source mac, i think i dont need to run a sniffer , spanning the inside interface of the FW.. The attack seems to be from sniffed IP 0.1.0.5 !

Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card