[Snort-users] Land Attack

Phil Wood cpw at ...440...
Tue Dec 31 08:57:04 EST 2002


The rule in snort looks for a SYN packet with IP ident == tcp sequence (0xF1C)
which is based on the source for land.c.  You would have to peruse the hacker
source sites for that.

There is no primitive to look for source port equal to destination port.
You could write one.  %^)

On Tue, Dec 31, 2002 at 02:31:51AM -0500, Ashley Thomas wrote:
> Hi,
> 
> What is the signature for a Land attack ?
> 
> All the documentation i could get hold mentioned 'Land Attack' to be a
> TCP Syn packet with same Src IP/port and Dest IP/port.
> 
> http://www.cert.org/advisories/CA-1997-28.html
> http://www.insecure.org/sploits/land.ip.DOS.html
> http://www.physnet.uni-hamburg.de/physnet/security/vulnerability/land.html
> 
> Then how do we classify the DoS attack packet which has same Src IP and 
> Dest IP.
> ( lets say it is not a TCP/UDP packet -> so port is not considered )
> 
> Snort signature for Land also has considered only the IP address and not 
> port.
> 
> thanks
> ashley
> 
> -- 
> Ashley Thomas
> Research scientist
> College of Computing
> Georgia Tech.
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list