I received an alarm the other day of LAND Attack.
I'm a network engineer and we recently allowed the use of iphones on the business wireless network for testing for possible business deployment.
I received an alarm the other day of LAND Attack. Further investigation showed in a sniffer capture that all these "Attacks" were from Apple devices on the network. The behavior was very odd.
Client initiated connection to apple. 17. 173.254.222 after 8 attempts it went to 17.173.254.223 source POrt 16403 Desitnation 16384
Apple 17.173.254.222 responds to the client IP address 192.168.100.23 on port 16384 to client on port 16403
apple 17.173.254.223 does the same
This is where is gets interesting.
The client 192.168.100.23 responds not to apple but to its Outside translated address 12.124.1.15 ( not the real ip ) port 16403 bothe sourced and destination.
This generates a LAND attack notification.
apple 17.173.254.223 responds to 192.168.100.23
client sends response to its translated address again.. Another LAND Attack message is generated.
Then 17.173 sends a response to 192.168.100.23
client responds to 17.173.254.223 this time..
What the heck is going on ? how is the translated address for this client getting involved this way ? Its not just this one . I have picked off 3000 in the past 24 hours.
Its almost time to shutdown all apple devices from the network unless I get a handle on this.
Any thoughts ??
DEVICES SEEN ARE IPHONES MOSTLY AND SOME IPADS
<Re-Titled by Host>