Fortinet black logo

Handbook

Blocking land attacks in transparent mode

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:533753
Download PDF

Blocking land attacks in transparent mode

FortiGate considers LAND (Local Area Network Denial) attacks as packets that have the same source and destination IP address. LAND attacks were originally used by attackers to spoof traffic to a destination by using the same source IP address as the destination. This could potentially lock up a system, as it tries to respond to itself in a loop.

Bidirectional Forwarding Detection (BFD) echo packets use the same source and destination IP address by design; the receiver forwards the received packet back to the sender. In transparent mode or virtual-wire-pair in NAT mode, this can be misinterpreted as a LAND attack.

The option to block LAND attacks is disabled by default, allowing BFD packets to be forwarded through the FortiGate if it they are permitted by a firewall policy. Blocking LAND attacks can be enabled per VDOM.

To block LAND attacks:
config system settings
    set block-land-attack enable
end

Blocking land attacks in transparent mode

FortiGate considers LAND (Local Area Network Denial) attacks as packets that have the same source and destination IP address. LAND attacks were originally used by attackers to spoof traffic to a destination by using the same source IP address as the destination. This could potentially lock up a system, as it tries to respond to itself in a loop.

Bidirectional Forwarding Detection (BFD) echo packets use the same source and destination IP address by design; the receiver forwards the received packet back to the sender. In transparent mode or virtual-wire-pair in NAT mode, this can be misinterpreted as a LAND attack.

The option to block LAND attacks is disabled by default, allowing BFD packets to be forwarded through the FortiGate if it they are permitted by a firewall policy. Blocking LAND attacks can be enabled per VDOM.

To block LAND attacks:
config system settings
    set block-land-attack enable
end