[Snort-users] Land Attack

Ashley Thomas athomas at ...5484...
Tue Dec 31 09:08:07 EST 2002

I see 2 rules -

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; 
id:3868; seq: 3868;
flags:S; reference:cve,CVE-1999-0016; classtype:attempted-dos; sid:269; 

alert ip any any -> any any (msg:"BAD TRAFFIC same SRC/DST"; sameip;
classtype:bad-unknown; sid:527; rev:3;)

I was referring to the second one. Is it not Land Attack ?

The reference, CVE-1999-0016, is the same for both and classifies it as 

So I was wondering if the packet has SRC and DST IP same, it is LAND 
attack or
it has to be a SYN packet with same SRC/DST ports also.

thanks a lot

Phil Wood wrote:

>The rule in snort looks for a SYN packet with IP ident == tcp sequence (0xF1C)
>which is based on the source for land.c.  You would have to peruse the hacker
>source sites for that.
>There is no primitive to look for source port equal to destination port.
>You could write one.  %^)
>On Tue, Dec 31, 2002 at 02:31:51AM -0500, Ashley Thomas wrote:
>>What is the signature for a Land attack ?
>>All the documentation i could get hold mentioned 'Land Attack' to be a
>>TCP Syn packet with same Src IP/port and Dest IP/port.
>>Then how do we classify the DoS attack packet which has same Src IP and 
>>Dest IP.
>>( lets say it is not a TCP/UDP packet -> so port is not considered )
>>Snort signature for Land also has considered only the IP address and not 
>>Ashley Thomas
>>Research scientist
>>College of Computing
>>Georgia Tech.
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:

Ashley Thomas
Research scientist
College of Computing
Georgia Tech.

More information about the Snort-users mailing list