12-13-2010 06:01 AM - edited 03-11-2019 12:21 PM
Hello,
I was flooded with the following message:
ASA-session-2-106017: Deny IP due to Land Attack from IP1 to IP1.
I was receiving it for approx 6 min. IP1 is my global outside address. I'm running ASA 5510. Does it mean that someone was spoofing my global out address? Is there a way to find out where this traffic was really coming from?
thank you,
forman
Solved! Go to Solution.
12-15-2010 08:21 AM
This is not related to the Land attack.
The 2 last syslogs could be normal after a connection teardown.
The first is someone trying to do Microsoft SMB protocol from the outside. Not sure what it is.
Please start a new thread for this messages that are unrelated to the Land Attack and mark this thread as answered if the Land issue is answered.
PK
12-13-2010 12:06 PM
Hi Forman,
Yes, this could indicate a spoofing attack. You can try to setup a packet capture on outside interface to help understand what the traffic is, but you would likely not see where exactly it is coming from. You would need to note the source MAC address and trace it back upstream, repeating the captures hop by hop to try and find the source. The MAC address could be spoofed as well though.
Also double check your NAT configuration to make sure that there is not a misconfiguration that would create these packets. If IP1 is your interface IP address, this is probably not the case but also check to make sure there is not another device on the network with a duplicate IP.
Hope that helps.
-Mike
12-14-2010 08:33 AM
Thank you Mike, IP1 is not my interface IP, it is the public IP address used for PAT. I got some more notifications today, so I don't want to take a risk if there is something I could do to prevent this. What do you think?
I can eliminate configuration as a problem, because there were no changes made and I have not encounter this issue before. Thanks again for your help.
forman
12-14-2010 12:02 PM
Can you post your "sh run nat", "sh run static", "sh run global", "show run same-security"?
This looks like a routing/natting issue where the ASA sees a packet, nats it and sends it back on the outside and it makes it back to the ASA.
PK
12-14-2010 12:18 PM
Hi PK,
I had u-turn enabled, which was part of an old project. I disabled it and also removed one NAT which was part of the same set up. I'm wondering if this could cause the problem. It was weird config: VPN tunnel with U-turn where the remote subnet was using routable IP addresses instead of private. Let me look into the log files and see if there was traffic going to the these subnet.
Thank you.
12-14-2010 12:23 PM
It could.
Imagine source x hitting your outside destined to y. If the ASA has a translation and u-turning enabled and translates x to y and sends it back out then the packet is going to be routed back and hit the ASA looking sourced and destined to y (Land attack). I suspect that was the root cause of your issue, without knowing all the specifics.
Let us know if that answers your question.
PK
12-15-2010 06:45 AM
Well, my issue escalated, I'm beeing bombarded with tons of the following syslog messages:
%ASA-session-2-106001: Inbound TCP connection denied from 62.40.54.215/2189 to 200.x.x.x/445 flags SYN on interface outside
%ASA-session-2-106001: Inbound TCP connection denied from 70.62.97.107/443 to 200.x.x.x/61215 flags SYN ACK on interface outside
%ASA-session-2-106001: Inbound TCP connection denied from 63.172.25.49/80 to 200.x.x.x/48385 flags FIN ACK on interface outside
Someone is trying to get past firewall and hit our NATd servers on different ports, I see traffic being blocked from various IPs all over the world (spoofed most likely?). I got my ISP involved. Not sure what else to do. Any ideas?
thanks
12-15-2010 08:21 AM
This is not related to the Land attack.
The 2 last syslogs could be normal after a connection teardown.
The first is someone trying to do Microsoft SMB protocol from the outside. Not sure what it is.
Please start a new thread for this messages that are unrelated to the Land Attack and mark this thread as answered if the Land issue is answered.
PK
10-14-2019 12:07 PM
You are right. I have faced the same issue, because of NAT misconfig. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide