TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Not much more information is give in the ISS RealSecure 5.0 Signature
guide, refer to page 167.
At 12:57 PM 8/22/00 -0400, Charles C. Lindsay wrote:
>Given that the source/dest ports are NETBIOS datagram, this may be a
>little more subtle than the standard LAND attack -- it would have been
>interesting to actually see the contents of the frame. With the
>network broadcast address as both source and destination, every
>machine in your net would presumably see it, and respond to it, out to
>the "world", and amongst themselves. If there was a single-packet
>NETBIOS attack buried in there, it would have hit all your boxes, and
>the ones that didn't die would propagate it...
>
>Interesting.
>
>
>--
>Charles C. Lindsay TopLayer Networks, Inc. 508-870-1300 x147
>[EMAIL PROTECTED] "Layers Above The Rest" 508-870-9797 FAX
> 2400 Computer Drive, Westboro, MA 01581
>
>
> From: [EMAIL PROTECTED]
> X-Sender: [EMAIL PROTECTED]
> Date: Tue, 22 Aug 2000 08:38:48 -0700
>
>
> According to CERT:
> http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html
>
> Attacks like those of the Land tool rely on the use of forged packets,
> that
> is, packets where the attacker deliberately falsifies the origin address.
> With the current IP protocol technology, it is impossible to eliminate
> IP-spoofed packets. However, you can reduce the likelihood of your site's
> networks being used to initiate forged packets by filtering outgoing
> packets that have a source address different from that of your internal
> network.
>
> Currently, the best method to reduce the number of IP-spoofed packets
> exiting your network is to install filtering on your routers that
> requires
> packets leaving your network to have a source address from your internal
> network. This type of filter prevents a source IP spoofing attack from
> your
> site by filtering all outgoing packets that contain a source address from
> a different network.
>
> A detailed description of this type of filtering is available in RFC
> 2267,
> "Network Ingress Filtering: Defeating Denial of Service Attacks which
> employ IP Source Address Spoofing" by Paul Ferguson of Cisco Systems,
> Inc.
> and Daniel Senie of Blazenet, Inc. We recommend it to both Internet
> Service
> Providers and sites that manage their own routers. The document is
> currently available at
>
> ftp://ftp.isi.edu/in-notes/rfc2267.txt
>
>
>
> At 10:57 AM 8/22/00 -0400, Earley, Rickey D. CPL wrote:
>
> >Has anyone had the Land_UDP event? I have read what ISS has on it but was
> >trying to get a little more information. The source and dest. address are
> >both 255.255.255.255 with a source and dest port of 138. Anyway to track
> >this event down?? Thanks for any information.
> >
> >RICKEY D. EARLEY JR
> >SPC, USA
> >SYSTEM ADMINISTRATOR
> >93RD SIGNAL BRIGADE
> >[EMAIL PROTECTED]
> >706-791-9305 / DSN 780-9305
