10-15-2011 02:28 PM - edited 03-11-2019 02:38 PM
I have been getting some Land Attack errors in my ASA logs recently so I captured some traffic to analyze.
ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
During a Land Attack, the capture shows an inside address trying to send traffic to the nat address and this may be some program trying to use nat traversal.
192.168.0.100:52000 > 1.1.1.1:28000: udp 28
I was also able to reproduce a Land Attack by pinging 1.1.1.1 from the inside address of 192.168.0.100.
Can I just configure an ACL that prevents 192.168.0.0/24 from connected to the nat address of 1.1.1.1?
Or is my nat configuration wrong?
Current nat configuration.
version 8.2.4
nat-control
global (outside) 1 1.1.1.1 netmask 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0
10-15-2011 04:11 PM
Hello Sr,
Let me see If I understand what you are trying to implement with your dynamic nat is that all the inside users go to the outside being natted to the ip add of 1.1.1.1. If this is the case the nat would be
global (outside) 1 1.1.1.1 netmask 255.255.255.255
You do not need to configure that ACL because the ASA is going to drop the packets by default this as a security purpose. So you do not need to worry about it.
Hope you have a great day,
Julio
10-15-2011 07:18 PM
Yes, all inside users currently use 1.1.1.1 as the outside natted address and all works.
I am trying to limit Land Attack errors from false positives so we know when a real Land Attack occurs.
I know the traffic gets dropped but if I add an ACL would the traffic log as regular deny instead of logging a land attack?
10-16-2011 01:28 PM
Hello,
Yes, I understand what you are saying. Doing a little bit of research on this I have found the following information that might help you regarding this problem.
What is Land attack?
A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port.
How do you troubleshoot ?
Error Message %PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to
IP_address
Explanation The security appliance received a packet with the IP source address equal
to the IP destination, and the destination port equal to the source port. This message
indicates a spoofed packet that is designed to attack systems. This attack is referred to
as a Land Attack.
Recommended Action If this message persists, an attack may be in progress. The packet
does not provide enough information to determine where the attack originates.
Step 1: You need to find out the packet flow
Step 2: In order to fetch the packet flow, please capture the pcap in all the interfaces (it will give lot of information including mac address)
Step 3: If you have a firewall deployed between the source and destinations, they its already blocked. However it will display in the logs as blocked often
Step 4: If you see the Public IP, it may get statically natted somewhere. so please try removing the static entry and observe the logs (this is workaround)
Step 5: You can execute the shun command in the firewall (if cisco) to tell the device to discard the packet from processing.
Hope this information helps,
Regads,
Julio
10-16-2011 10:37 PM
I have already taken the dump and verified the traffic to be legit.
Again, If I ping my nat public address I can produce a Land Attack.
I just want to prevent regular traffic from sending off Land Attack errors.
10-16-2011 11:15 PM
Hello,
The thing is that traffic is going to be denied by default by the ASA so if you create and ACL for that the result is going to be the same, just that you are going to receive a different message. Check out the followin procesure.
-If you place this command you are going to avoid that message:
-no logging message 106017
Hope that one helps.
Regards,
Julio
10-16-2011 11:24 PM
Hi,
You would never be able to ping a remote interface from the ASA, it would always be denied, in your case whats happening is, you are trying to ping the the outside interface, the rrequest first goes to the internet for resolution and then is redirceted back to the ASA outside interface, and now the firewall sees the source and destination being the same and reports land attack. So I am not sure why you are trying it and what exactly is your requirement? If you can explain it maybe we can let you know if its possible?
Thanks,
Varun
10-16-2011 11:55 PM
From the original post, I just used ping to reproduce the error that I get from time to time on my asa from other user traffic.
When a land attack happens I check the the captured data and see what caused it and it is because of some nat traversal traffic that sends data to the nat public address.
I just want for this traffic to not show up as a land attack since it is a false positive.
Sent from Cisco Technical Support iPad App
10-17-2011 11:39 AM
Hello,
As I explained before you are going to keep receiving this messages unless you disable the message 106017, that is the only solution because the ASA as a security device is going to log this situation every single time it happens as it seems to be an attack.
Hope you have a great day.
Julio
10-20-2011 04:23 PM
I was able to test an ACL on a spare ASA and it did work.
When there is no ACL, the land attack is logged which is correct as it can't connect to itself.
When I add the ACL denying access to its nat address it is logged as a deny.
access-list inside_access_in extended deny ip host 192.168.0.254 host 1.1.1.1
This is the default action when Dynamic NAT is configured for an interface and not an address pool.
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
If Dynamic NAT uses a different IP address a Land Attack is logged unless an ACL denies it first.
global (outside) 1 1.1.1.1 netmask 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0
05-19-2012 08:23 AM
What if I want to allow my server apps to access resources on its own public IP?
Can I specific the server IP as a "safe" IP to prevent the "Deny IP due to Land Attack" ?
I currently get the following message ASDM Syslog Messages
No translation group found for tcp src inside:10.0.0.1/SOMENUMBER dst outside:IP_NUMBER/80 |
followed by
Deny IP due to Land Attack from IP_NUMBER to IP_NUMBER |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide