topic Deny IP due to Land Attack same My IP in Network Security

Deny IP due to Land Attack same My IP

Ivan Marinovic — Fri, 21 Feb 2020 15:36:23 GMT

Hi,

I keep receiving log messages on ASA 5545X like this:

Apr 06 2018

07:47:57

19.19.20.4

Deny IP due to Land Attack from 19.19.20.4 to 19.19.20.4

This is for server - IP which is 1-to-1 NAT

10.1.4.4 ->19.19.20.4

CONFIG:

object network 19.19.20.4-10.1.4.4

nat (inside,outside) static 19.19.20.4 dns

host 10.1.4.4

and same happens with this log:

This is for local host/network 10.44.0.0 - IP which is 1-to-many NAT

Apr 06 2018

07:48:23

19.19.20.244

Deny IP due to Land Attack from 19.19.20.244 to 19.19.20.244

CONFIG:

object network 19.19.20.244-10.44.0.0

nat (inside,outside) dynamic 19.19.20.244

subnet 10.44.0.0 255.255.0.0

Is something with NAT config wrong?

Best regards,

Ivan

Bogdan Nita — Fri, 06 Apr 2018 09:58:29 GMT

Hi Ivan,

Land Attack simply means the packets have the same source ip and destination ip, in your case it seems to be 19.19.20.4 and 19.19.20.244.

Is it possible that 10.1.4.4 is sending packets to 19.19.20.4, or 10.44.0.0/24 to 19.19.20.244 ?

You can set up some captures to find out.

If yes configure identity nat for that specific destination.

HTH

Bogdan

mplaksin0 — Fri, 06 Apr 2018 17:05:30 GMT

Maybe create a nonat rule to packets on the same private network?