Printable View
Frequently when I open my IE web browser, my McAfee Firewall warns me that it has blocked a Land Attack. Is there a way to trace the source of the attack? It is so regular, even though it doesn't seem to hurt anything, I would like to trace it to its source.
Sygate firewall allows you to do a backtrace of the offending IP, but that only shows the route taken to you.
Why would you like to trace it ?
If your F/W has it stopped, then it is doing its job.
By regular. How regular ?
You could always try the AO IP locator on the front page, to give you an idea of where the IP originates. [be aware that the locator isn't deadly accurate :)]
Sorry lost track of my post. The land attacks were occuring almost as regularly as when I signed on to my web browser. That has continued up until a few days ago when they seemed to subside, but still occur but not as often. The trace indicated Shanghai, China as the source in most cases.
Unless you have access to you're ISP's router's netflow functions, there's no way you can trace back a Land attack to any computer other than... your own.
Land attack packets, by nature, tcp packets with the syn flag up with the same (spoofed) source IP as the destination (ie: victim's) IP.
Ammo
Must admitt.. I hadn't Heard of "Land Attack" untill reading this post.. ..
now most here will know and understand.. but to add to ammo's comment.. here is a bit of info from a quick Google.. a starting point for those who wish to learn more..
oh and the source.. HereQuote:
A LAND attack consists of a stream of TCP SYN packets that have the source IP address and TCP port number set to the same value as the destination address and port number (i.e., that of the attacked host). Some implementations of TCP/IP cannot handle this theoretically impossible condition, causing the operating system to go into a loop as it tries to resolve repeated connections to itself. Service providers can block LAND attacks that originate behind aggregation points by installing filters on the ingress ports of their edge routers to check the source IP addresses of all incoming packets. If the address is within the range of advertised prefixes, the packet is forwarded; otherwise it is dropped.
Bastard I am.. a google results page it is
Bloody smilies and that bloody url... geez