This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

utorrent and IPS

Hi All

I have set up utorrent to the DMZ zone and it works fine (Able to download and seed). However, it's been a week now that IPS detects

	200012	LAND Attack, sameip detected	Protocol Anomaly / Misc	1 265	98.98

coming from the utorrent client. As a result (If IDS drops the connection) my internet is going down! This ip 172.16.1.2 is only assigned to that client on the DMZ (only device on the DMZ at the moment)

IDS log:

2009:05:22-00:03:45 Astaro barnyard[9112]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="450" srcip="172.16.1.2" dstip="172.16.1.2" proto="6" srcport="40004" dstport="54355" sid="200012" class="Unknown" priority="0"  generator="1" msgid="0"

2009:05:22-00:03:47 Astaro barnyard[9112]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="450" srcip="172.16.1.2" dstip="172.16.1.2" proto="6" srcport="40001" dstport="54355" sid="200012" class="Unknown" priority="0"  generator="1" msgid="0"

2009:05:22-00:03:47 Astaro barnyard[9112]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="450" srcip="172.16.1.2" dstip="172.16.1.2" proto="6" srcport="40000" dstport="54355" sid="200012" class="Unknown" priority="0"  generator="1" msgid="0"

2009:05:22-00:03:47 Astaro barnyard[9112]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="450" srcip="172.16.1.2" dstip="172.16.1.2" proto="6" srcport="40002" dstport="54355" sid="200012" class="Unknown" priority="0"  generator="1" msgid="0"

That looks like it could be a 'false positive' ID. Port 54355 is for bittorrent (uTorrent client).

I found the following searching on google:

A land attack is slightly different - the machine 'attacks' itself  



The basic idea is to send a packet to a system where the source IP is set to match the systems IP. The SYN flag has to be set. So the packet will arrive with source ip = target ip. As a result, the system will attempt to reply to itself, causing a lock up of the system

Is this something that you guys came across?

This thread was automatically locked due to age.

Parents

0 BarryG over 16 years ago

I haven't seen that, but you can disable individual IPS rules under IPS - Advanced.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 16 years ago in reply to BarryG

I know Barry just wondering whether someone knows how to resolve that issue
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to wingman

Have you double-checked your MASQ and DNAT settings?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 16 years ago in reply to BarryG
DNAT
-------------
1 DNAT [utorrent] DMZ
Traffic selector: Any → utorrent port → WAN Traffic (Address)
Destination translation: utorrent PC
Automatic packet filter rule: no

MASQ
----------------
DMZ (Network)-->WAN Traffic
Private_Lan (Network)->WAN Traffic

It might be something misconfigured on the client itself as everything was working fine before. I was messing with utorrent configuration at some point during the weekend
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to wingman

Hi, can you explain what "WAN Traffic" is in your MASQ?
Normally, one would use External Interface Address in a MASQ setting.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 16 years ago in reply to BarryG

Wan traffic is the external interface (ip provided by isp 86.x.x.x)
Cancel
Vote Up 0 Vote Down

Cancel
0 Billybob over 16 years ago in reply to wingman

Too bad you can't see the mac address in those logs. Here are a couple of snort articles I found on the subject. The second one suggests a corrective action. Browse through them if you haven't run up on them already in your searches.

If you have a dynamic IP assigned by your ISP, try changing it by reconnecting etc. and see if that resolves the problem if this really is some kind of DOS attack.

RULE 1:527 - Potential False Positive - Snort Forums Archive

Snort - the de facto standard for intrusion detection/prevention

This sure is interesting problem and would love to know how you solve it.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Billybob over 16 years ago in reply to wingman

Too bad you can't see the mac address in those logs. Here are a couple of snort articles I found on the subject. The second one suggests a corrective action. Browse through them if you haven't run up on them already in your searches.

If you have a dynamic IP assigned by your ISP, try changing it by reconnecting etc. and see if that resolves the problem if this really is some kind of DOS attack.

RULE 1:527 - Potential False Positive - Snort Forums Archive

Snort - the de facto standard for intrusion detection/prevention

This sure is interesting problem and would love to know how you solve it.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data