cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8081
Views
0
Helpful
8
Replies

ASA-session-2-106017: Deny IP due to Land Attack from IP1 to IP1

forman102
Level 1
Level 1

Hello,

I was flooded with the following message:

ASA-session-2-106017: Deny IP due to Land Attack from IP1 to IP1.

I was receiving it for approx 6 min. IP1 is my global outside address. I'm running ASA 5510. Does it mean that someone was spoofing my global out address? Is there a way to find out where this traffic was really coming from?

thank you,

forman

1 Accepted Solution

Accepted Solutions

This is not related to the Land attack.

The 2 last syslogs could be normal after a connection teardown.

The first is someone trying to do Microsoft SMB protocol from the outside. Not sure what it is.

Please start a new thread for this messages that are unrelated to the Land Attack and mark this thread as answered if the Land issue is answered.

PK

View solution in original post

8 Replies 8

mirober2
Cisco Employee
Cisco Employee

Hi Forman,

Yes, this could indicate a spoofing attack. You can try to setup a packet capture on outside interface to help understand what the traffic is, but you would likely not see where exactly it is coming from. You would need to note the source MAC address and trace it back upstream, repeating the captures hop by hop to try and find the source. The MAC address could be spoofed as well though.

Also double check your NAT configuration to make sure that there is not a misconfiguration that would create these packets. If IP1 is your interface IP address, this is probably not the case but also check to make sure there is not another device on the network with a duplicate IP.

Hope that helps.

-Mike

Thank you Mike, IP1 is not my interface IP, it is the public IP address used for PAT. I got some more notifications today, so I don't want to take a risk if there is something I could do to prevent this. What do you think?

I can eliminate configuration as a problem, because there were no changes made and I have not encounter this issue before. Thanks again for your help.

forman

Can you post your "sh run nat", "sh run static", "sh run global", "show run same-security"?

This looks like a routing/natting issue where the ASA sees a packet, nats it and sends it back on the outside and it makes it back to the ASA.

PK

Hi PK,

I had u-turn enabled, which was part of an old project. I disabled it and also removed one NAT which was part of the same set up. I'm wondering if this could cause the problem. It was weird config: VPN tunnel with U-turn where the remote subnet was using routable IP addresses instead of private. Let me look into the log files and see if there was traffic going to the these subnet.

Thank you.

It could.

Imagine source x hitting your outside destined to y. If the ASA has a translation and u-turning enabled and translates x to y and sends it back out then the packet is going to be routed back and hit the ASA looking sourced and destined to y (Land attack). I suspect that was the root cause of your issue, without knowing all the specifics.

Let us know if that answers your question.

PK

Well, my issue escalated, I'm beeing bombarded with tons of the following syslog messages:

%ASA-session-2-106001: Inbound TCP connection denied from 62.40.54.215/2189 to 200.x.x.x/445 flags SYN  on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 70.62.97.107/443 to 200.x.x.x/61215 flags SYN ACK  on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 63.172.25.49/80 to 200.x.x.x/48385 flags FIN ACK  on interface outside

Someone is trying to get past firewall and hit our NATd servers on different ports, I see traffic being blocked from various IPs all over the world (spoofed most likely?). I got my ISP involved. Not sure what else to do. Any ideas?

thanks

This is not related to the Land attack.

The 2 last syslogs could be normal after a connection teardown.

The first is someone trying to do Microsoft SMB protocol from the outside. Not sure what it is.

Please start a new thread for this messages that are unrelated to the Land Attack and mark this thread as answered if the Land issue is answered.

PK

You are right. I have faced the same issue, because  of NAT misconfig. Thank you.

Review Cisco Networking for a $25 gift card