D-Link Forums

The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: steveluscher on October 28, 2008, 09:26:15 AM

Title: What's causing this LanD Attack log?
Post by: steveluscher on October 28, 2008, 09:26:15 AM
My log is absolutely full of the following type of message, minutes apart:

Code: [Select]
[WARN] Tue Oct 28 09:13:21 2008 Blocked packet from 192.168.0.1 to 192.168.0.1 (LAND Attack)
[WARN] Tue Oct 28 09:13:01 2008 Above message repeated 188 times

Just a hunch, this may have appeared after upgrading to either 1.20 or 1.21. I don't remember seeing it in the logs before that.

What's causing this?

Peculiarities about my setup:

DIR655 LANPORTS <= Computer, NAS, WRT54GP2 VOIP ROUTER
DIR655 WIRELESS <= Computers, Wii, WRT54G (Tomato Firmware) WIRELESS BRIDGE
WRT54G (Tomato Firmware) WIRELESS BRIDGE <= Computer
Title: Re: What's a LanD Attack?
Post by: arod on October 28, 2008, 09:45:08 AM
a LAND attack is a DoS attack. Please reference the following link from wiki.

http://en.wikipedia.org/wiki/LAND

Title: Re: What's causing this LanD Attack log?
Post by: steveluscher on October 28, 2008, 10:05:15 AM
Are you saying that this is an actual LanD attack, and not just a false positive?
Title: Re: What's causing this LanD Attack log?
Post by: EddieZ on October 28, 2008, 01:48:04 PM
No, he is not. Looking at the destination and point of origin this is most certainly a false positive.
Title: Re: What's causing this LanD Attack log?
Post by: steveluscher on October 28, 2008, 03:21:08 PM
So again I ask… what could be causing this?
Title: Re: What's causing this LanD Attack log?
Post by: Wal_ on October 28, 2008, 03:29:40 PM
Quote from: steveluscher on October 28, 2008, 03:21:08 PM
So again I ask… what could be causing this?

Can you tell us about your environment? any specific programs, games, network devices, etc?

Or is it spitting out these LanD attacks the second you power on your router? (speaking of which, did you try power cycling your router? Maybe re-apply firmware?)

I noticed you have quite a few devices on your network. You may want to try isolating the 655 completely. Try modem --> DIR-655 --> Computer. See if you still receive lanD attacks.  If not, try connecting a device at a time and see which yields the attacks.

Let me know!!!

Good luck!
Title: Re: What's causing this LanD Attack log?
Post by: Matricz on October 29, 2008, 07:03:00 AM
I also have these in my logs, quite a lot of them actually.. it started with the >= 1.20 firmwares
Title: Re: What's causing this LanD Attack log?
Post by: Lycan on October 29, 2008, 10:16:27 AM
Whats on the LAN side of your network?
List all devices please.
Title: Re: What's causing this LanD Attack log?
Post by: steveluscher on October 29, 2008, 10:24:41 AM
All the devices are listed in my original post, above.
Title: Re: What's causing this LanD Attack log?
Post by: Matricz on October 30, 2008, 04:24:41 AM
Internet <-> Speedtouch ADSL (bridgemode) <-> DIR-655 <-> LAN

Devices in our LAN:
4 switches
5 PCs and 1 Laptop
Iphone and Nokia N95 via Wireless

Title: Re: What's causing this LanD Attack log?
Post by: Lycan on October 30, 2008, 08:12:23 AM
Explain the bridge in more detail please. Also how many routers are you using?
Title: Re: What's causing this LanD Attack log?
Post by: steveluscher on October 30, 2008, 11:19:47 AM
Quote from: Lycan on October 30, 2008, 08:12:23 AM
Explain the bridge in more detail please. Also how many routers are you using?

Here goes:

D-Link DIR655

Linksys WRT54GP2

Linksys WRT54G (With Tomato Firmware in Ethernet Bridge mode)

Remember the good ol' days when we just cabled the whole house and everything worked?
Title: Re: What's causing this LanD Attack log?
Post by: Wal_ on October 30, 2008, 11:27:53 AM
Quote from: steveluscher on October 30, 2008, 11:19:47 AM
Remember the good ol' days when we just cabled the whole house and everything worked?

I'm still living in those days! (minus my iPhone)
Title: Re: What's causing this LanD Attack log?
Post by: Lycan on October 30, 2008, 01:22:55 PM
There's your LanD attacks. The 655 is looking at that loopback bridge as a LanD attack.
Title: Re: What's causing this LanD Attack log?
Post by: kh30397 on February 16, 2009, 01:33:19 PM
Quote from: Lycan on October 30, 2008, 01:22:55 PM
There's your LanD attacks. The 655 is looking at that loopback bridge as a LanD attack.

Lycan,
I have almost the same setup and I'm getting this in the status log:

Priority
[WARN]   Blocked packet from 192.168.0.1 to 192.168.0.1 (LAND Attack)
[INFO]    Above message repeated 1999 times

D-Link DIR655
    * WAN
          o DCM-202 Cable modem
    * LAN
          o xbox360
          o ps3
          o Linksys WRTP54G (VoIP adapter)
    * WIRELESS
          o xp pro laptop
          o xp pro laptop
          o Wii

Linksys WRTP54G
    * WAN
          o LAN port of self (looped back for Vonage phone & fax)
    * LAN
          o D-Link DIR655
          o WAN port of self (looped back for Vonage phone & fax)
    * WIRELESS (Access Point w/remote access enabled)
          o xp pro laptop
          o xp pro laptop
          o xp pro laptop
          o MFC 640W

Everything on the network seems to be working quite well, for now. However, I'm a little concerned about this circular network setup and how the 655 is constantly pounding itself. Are there any settings that will tell the 655 to disregard this particular LanD attack?
         
Title: Re: What's causing this LanD Attack log?
Post by: EddieZ on February 16, 2009, 01:47:39 PM
Try upping the TTL on your clients, in case the LanD false positive is caused by Time Exceeds roaming around between routers (and pounding your DIR655)