This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Land Attack, Portscan and others

Hello,
today I'm under attack, I have a lot of entries in log files about Land Attack and Portscan (this last is coming from our Guest Interface). In the case of LAND, the source and the destination addresses seems to be the same (my public ip address), so is difficult to understand the real origin, but consider that must be one of my co-workers because the LAND starts at 9 and stops at 18 (our working hours). What can I do to discover the real attacker?

2010:09:23-16:12:18 firewall snort[5524]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="242" srcip="6MY PUBLIC IP ADDRESS" dstip="6MY PUBLIC IP ADDRESS" proto="6" srcport="8080" dstport="58943" sid="200012" class="" priority="0" generator="1" msgid="0"

2010:09:23-14:02:58 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="255.255.255.255" proto="17" length="328" tos="0x00" prec="0x00" ttl="128" srcport="68" dstport="67"

2010:09:23-14:02:59 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="GUEST DEFAULT GATEWAY" proto="17" length="40" tos="0x00" prec="0x00" ttl="128" srcport="56386" dstport="5351"

2010:09:23-14:02:59 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="GUEST DEFAULT GATEWAY" proto="17" length="40" tos="0x00" prec="0x00" ttl="128" srcport="56386" dstport="5351"

2010:09:23-14:03:01 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="81.110.248.166" proto="17" length="50" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="20031"

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="GUEST DEFAULT GATEWAY" proto="17" length="40" tos="0x00" prec="0x00" ttl="128" srcport="56386" dstport="5351"

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="81.104.10.175" proto="17" length="56" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="17090"

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="88.107.127.33" proto="17" length="55" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="4202"

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="GUEST DEFAULT GATEWAY" proto="17" length="40" tos="0x00" prec="0x00" ttl="128" srcport="56386" dstport="5351"

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="86.3.13.23" proto="17" length="50" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="11512"

2010:09:23-14:03:03 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="86.8.237.227" proto="17" length="58" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="40912"

This thread was automatically locked due to age.

0 BarryG over 15 years ago

Is the srcmac your interface?

If not, then you just have to find that PC... use
arp -an

during the attacks to find the IP address.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 eclipse79oldacct over 15 years ago in reply to BarryG

Is the srcmac your interface?

If not, then you just have to find that PC... use
arp -an

during the attacks to find the IP address.

Barry

Barry, unfortunately the mac address is specified only for portscanner attack, not for LAND (only the first entry I wrote is related LAND attack). So I cannot use arp. But perhaps I found the "culprit". I think it is a false positive: the LAND occurred since I moved from transparent to standard proxy mode. There was 1 client that used an rss feed published in one of our internal http server. The url of this feed was:

http://MYPUBLICIPADDRESS:8080/feed.aspx
instead of
http://192.168.1.10:8080/feed.aspx

With the proxy in transparent mode, all worked fine (when the client was in our lan and when the client was outside)

Now I changed the feed address using the second one, and it seems that the LAND are stopped. In your opinion the configuration described could generate these false positives?

Thanks
eclipse79
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago

I think so.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel