Re: Land_UDP Event

Tue, 22 Aug 2000 09:35:30 -0700 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

According to CERT: http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html

Attacks like those of the Land tool rely on the use of forged packets, that 
is, packets where the attacker deliberately falsifies the origin address. 
With the current IP protocol technology, it is impossible to eliminate 
IP-spoofed packets. However, you can reduce the likelihood of your site's 
networks being used to initiate forged packets by filtering outgoing
packets that have a source address different from that of your internal 
network.

Currently, the best method to reduce the number of IP-spoofed packets 
exiting your network is to install filtering on your routers that requires 
packets leaving your network to have a source address from your internal 
network. This type of filter prevents a source IP spoofing attack from your 
site by filtering all outgoing packets that contain a source address from
a different network.

A detailed description of this type of filtering is available in RFC 2267, 
"Network Ingress Filtering: Defeating Denial of Service Attacks which 
employ IP Source Address Spoofing" by Paul Ferguson of Cisco Systems, Inc. 
and Daniel Senie of Blazenet, Inc. We recommend it to both Internet Service 
Providers and sites that manage their own routers. The document is 
currently available at

ftp://ftp.isi.edu/in-notes/rfc2267.txt



At 10:57 AM 8/22/00 -0400, Earley, Rickey D. CPL wrote:

>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>Has anyone had the Land_UDP event? I have read what ISS has on it but was
>trying to get a little more information. The source and dest. address are
>both 255.255.255.255 with a source and dest port of 138. Anyway to track
>this event down?? Thanks for any information.
>
>RICKEY D. EARLEY JR
>SPC, USA
>SYSTEM ADMINISTRATOR
>93RD SIGNAL BRIGADE
>[EMAIL PROTECTED]
>706-791-9305 / DSN 780-9305

Reply via email to