[Snort-users] Land Attack

Ashley Thomas athomas at ...5484...
Tue Dec 31 09:08:07 EST 2002


I see 2 rules -

dos.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; 
id:3868; seq: 3868;
flags:S; reference:cve,CVE-1999-0016; classtype:attempted-dos; sid:269; 
rev:2;)

bad-traffic.rules:
alert ip any any -> any any (msg:"BAD TRAFFIC same SRC/DST"; sameip;
reference:cve,CVE-1999-0016; 
reference:url,www.cert.org/advisories/CA-1997-28.html; 
classtype:bad-unknown; sid:527; rev:3;)

I was referring to the second one. Is it not Land Attack ?

The reference, CVE-1999-0016, is the same for both and classifies it as 
LAND.

So I was wondering if the packet has SRC and DST IP same, it is LAND 
attack or
it has to be a SYN packet with same SRC/DST ports also.

thanks a lot
ashley


Phil Wood wrote:

>The rule in snort looks for a SYN packet with IP ident == tcp sequence (0xF1C)
>which is based on the source for land.c.  You would have to peruse the hacker
>source sites for that.
>
>There is no primitive to look for source port equal to destination port.
>You could write one.  %^)
>
>On Tue, Dec 31, 2002 at 02:31:51AM -0500, Ashley Thomas wrote:
>  
>
>>Hi,
>>
>>What is the signature for a Land attack ?
>>
>>All the documentation i could get hold mentioned 'Land Attack' to be a
>>TCP Syn packet with same Src IP/port and Dest IP/port.
>>
>>http://www.cert.org/advisories/CA-1997-28.html
>>http://www.insecure.org/sploits/land.ip.DOS.html
>>http://www.physnet.uni-hamburg.de/physnet/security/vulnerability/land.html
>>
>>Then how do we classify the DoS attack packet which has same Src IP and 
>>Dest IP.
>>( lets say it is not a TCP/UDP packet -> so port is not considered )
>>
>>Snort signature for Land also has considered only the IP address and not 
>>port.
>>
>>thanks
>>ashley
>>
>>-- 
>>Ashley Thomas
>>Research scientist
>>College of Computing
>>Georgia Tech.
>>
>>
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>http://thinkgeek.com/sf
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>    
>>
>
>  
>


-- 
Ashley Thomas
Research scientist
College of Computing
Georgia Tech.






More information about the Snort-users mailing list