[Snort-users] Land Attack

Ashley Thomas athomas at ...5484...
Mon Dec 30 23:34:07 EST 2002


Hi,

What is the signature for a Land attack ?

All the documentation i could get hold mentioned 'Land Attack' to be a
TCP Syn packet with same Src IP/port and Dest IP/port.

http://www.cert.org/advisories/CA-1997-28.html
http://www.insecure.org/sploits/land.ip.DOS.html
http://www.physnet.uni-hamburg.de/physnet/security/vulnerability/land.html

Then how do we classify the DoS attack packet which has same Src IP and 
Dest IP.
( lets say it is not a TCP/UDP packet -> so port is not considered )

Snort signature for Land also has considered only the IP address and not 
port.

thanks
ashley

-- 
Ashley Thomas
Research scientist
College of Computing
Georgia Tech.






More information about the Snort-users mailing list