Which of the following is a reasonable response from the Intrusion Detection System (IDS) when it detects
Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address
and port?
A.
 Allow the packet to be processed by the network and record the event
B.
 Record selected information about the packets and drop the packets
C.
 Resolve the destination address and process the packet
D.
 Translate the source address and resend the packet
Explanation:
In this question, a land attack has been detected by the IDS. A reasonable response from the IDS would be to
record selected information about the packets and drop the packets.
Knowledge is accumulated by the IDS vendors about specific attacks and how they are carried out. Models of
how the attacks are carried out are developed and called signatures. Each identified attack has a signature,
which is used to detect an attack in progress or determine if one has occurred within the network. Any action
that is not recognized as an attack is considered acceptable.
An example of a signature is a packet that has the same source and destination IP address. All packets should
have a different source and destination IP address, and if they have the same address, this means a Land
attack is under way. In a Land attack, a hacker modifies the packet header so that when a receiving system
responds to the sender, it is responding to its own address. Now that seems as though it should be benign
enough, but vulnerable systems just do not have the programming code to know what to do in this situation, so
they freeze or reboot.
Incorrect Answers:
A: A land attack is an old and well known attack so the IDS would know what it is. Knowing the packets are an
attack, the IDS should not allow the packet to be processed by the network.
C: When the IP source address and port is the same as the destination IP address and port, this is a land
attack. It is not necessary to resolve the IP address and the packets should not be processed.
D: When the IP source address and port is the same as the destination IP address and port, this is a land
attack. The source address should not be translated and the packet should not be resent.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 257
http://searchsecurity.techtarget.com/answer/What-is-a-land-attack
http://www.symantec.com/connect/articles/understanding-ids-active-response-mechanisms
http://www.sans.org/security-resources/idfaq/active.php