[Snort-sigs] ID 269:Land-Attack

Maxim Gansert braker at ...307...
Wed Jan 23 14:44:02 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

# Rule:  

Sid: 269

Summary: This Attack is an old IP-Stack exploit. The Packet has equal
Src and Dst Adresses. It is nowadays quite rare. If you find those
Packets you are definetly attacked by someone. Because of the faked
Src-Adress you can't really find out where this Packet comes from. There
are also some minor changes (variations) to this attack, where some
special FLAGS of the IP-PAcket (SYN,ACK whatever) are set or unset.

Impact: A Land Attack will freeze the those Systems which aren't well

Detailed Information: A LAND Attack was first introduced by the guys
from http://www.rootshell.com. It was one of the first and most
effective methods to freeze a system, because of the high vunerability
of the early Operating - Systems. An IP-Packet which has been created by
Land.c has equal Sre-IP and Dst-IP-Adress. Dumb implemenations of the
IP-Stack want to answer to these Packets and this will freeze the OS.

Attack Scenarios: This is a try to freeze the destination. Just
malicious code to make a DOS. Internal computers in a network are
possible victims, because there are ways to avoid those Packets from
beeing routed to the inner network.

Ease of Attack: It is quite simple. Just search for land.c, compile it
and start it.

False Positives: No False Positives

False Negatives: No False Negatives

Corrective Action: Please make sure you update your System to the latest
TCP/IP Stack. Due to the Fact that the Source-Adress is the same as the
Destination Address, someone tries to send you an IP-Packet to an inner
network from an outer network. But those Packets can be dropped by
Routers if they come from the 'outside' with an inner adress. Simply
tune your incomming-ACL on your outgoing Network interface. Most
Firewalls are also able to drop these Packets. If you can't avoid them,
patch your System.

Contributors: Braker

Additional References:

More information about the Snort-sigs mailing list