Solved: Re: ASA-session-2-106017: Deny IP due to Land Attack from IP1 to

forman102 · ‎12-13-2010

Hello,

I was flooded with the following message:

ASA-session-2-106017: Deny IP due to Land Attack from IP1 to IP1.

I was receiving it for approx 6 min. IP1 is my global outside address. I'm running ASA 5510. Does it mean that someone was spoofing my global out address? Is there a way to find out where this traffic was really coming from?

thank you,

forman

Panos Kampanakis · ‎12-15-2010

This is not related to the Land attack.

The 2 last syslogs could be normal after a connection teardown.

The first is someone trying to do Microsoft SMB protocol from the outside. Not sure what it is.

Please start a new thread for this messages that are unrelated to the Land Attack and mark this thread as answered if the Land issue is answered.

PK

View solution in original post

mirober2 · ‎12-13-2010

Hi Forman,

Yes, this could indicate a spoofing attack. You can try to setup a packet capture on outside interface to help understand what the traffic is, but you would likely not see where exactly it is coming from. You would need to note the source MAC address and trace it back upstream, repeating the captures hop by hop to try and find the source. The MAC address could be spoofed as well though.

Also double check your NAT configuration to make sure that there is not a misconfiguration that would create these packets. If IP1 is your interface IP address, this is probably not the case but also check to make sure there is not another device on the network with a duplicate IP.

Hope that helps.

-Mike

forman102 · ‎12-14-2010

Thank you Mike, IP1 is not my interface IP, it is the public IP address used for PAT. I got some more notifications today, so I don't want to take a risk if there is something I could do to prevent this. What do you think?

I can eliminate configuration as a problem, because there were no changes made and I have not encounter this issue before. Thanks again for your help.

forman

Panos Kampanakis · ‎12-14-2010

Can you post your "sh run nat", "sh run static", "sh run global", "show run same-security"?

This looks like a routing/natting issue where the ASA sees a packet, nats it and sends it back on the outside and it makes it back to the ASA.

PK

forman102 · ‎12-14-2010

Hi PK,

I had u-turn enabled, which was part of an old project. I disabled it and also removed one NAT which was part of the same set up. I'm wondering if this could cause the problem. It was weird config: VPN tunnel with U-turn where the remote subnet was using routable IP addresses instead of private. Let me look into the log files and see if there was traffic going to the these subnet.

Thank you.

Panos Kampanakis · ‎12-14-2010

It could.

Imagine source x hitting your outside destined to y. If the ASA has a translation and u-turning enabled and translates x to y and sends it back out then the packet is going to be routed back and hit the ASA looking sourced and destined to y (Land attack). I suspect that was the root cause of your issue, without knowing all the specifics.

Let us know if that answers your question.

PK

forman102 · ‎12-15-2010

Well, my issue escalated, I'm beeing bombarded with tons of the following syslog messages:

%ASA-session-2-106001: Inbound TCP connection denied from 62.40.54.215/2189 to 200.x.x.x/445 flags SYN on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 70.62.97.107/443 to 200.x.x.x/61215 flags SYN ACK on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 63.172.25.49/80 to 200.x.x.x/48385 flags FIN ACK on interface outside

Someone is trying to get past firewall and hit our NATd servers on different ports, I see traffic being blocked from various IPs all over the world (spoofed most likely?). I got my ISP involved. Not sure what else to do. Any ideas?

thanks

Panos Kampanakis · ‎12-15-2010

This is not related to the Land attack.

The 2 last syslogs could be normal after a connection teardown.

The first is someone trying to do Microsoft SMB protocol from the outside. Not sure what it is.

Please start a new thread for this messages that are unrelated to the Land Attack and mark this thread as answered if the Land issue is answered.

PK

tech_gubby · ‎10-14-2019

You are right. I have faced the same issue, because of NAT misconfig. Thank you.