Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
0
Helpful
3
Replies

Land Attack - web server

iholdings
Level 1
Level 1

‎12-02-2010 05:00 AM - edited ‎03-11-2019 12:17 PM

Greetings,

We have a web server on our inside network behind our ASA that's "talking" to itself from it's internal IP to it's NAT IP:

1: 14:09:02.316344 172.16.0.166.51676 > 1.2.3.4.80: S 818099150:818099150(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>        

2: 14:09:05.318953 172.16.0.166.51676 > 1.2.3.4.80: S 818099150:818099150(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

The vendor is attempting to allow an external session the ability to download a PDF file from the server - and the Land Attack block is preventing that from occurring.

The web server vendor is insisting that this should be allowed.  I'm not in agreement, but I don't know enough about this issue to argue that point.

If this needs to be allowed - is there a way to do so on the ASA?

Thanks.

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-02-2010 05:07 AM

Please check with "show capture NAME detail" what mac addresses are indicated as source and destination. This looks to me like a packet looping and not typical LAND attack.

Note that on TCP level it's SAME exact packet - based on ISN 818099150

Marcin

0 Helpful

iholdings
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-02-2010 11:22 AM

Hi Marcin,

Here are the sho cap details:

Result of the command: "sh cap capi detail | in 1.2.3.4"

   1: 13:58:40.390192 0022.5560.3601 0013.c480.5e0b 0x0800 66: 172.16.0.166.56581 > 1.2.3.4.80: S [tcp sum ok] 2272504169:2272504169(0) win 8192 (DF) (ttl 127, id 27965)
   2: 13:58:43.390833 0022.5560.3601 0013.c480.5e0b 0x0800 66: 172.16.0.166.56581 > 1.2.3.4.80: S [tcp sum ok] 2272504169:2272504169(0) win 8192 (DF) (ttl 127, id 27966)
   3: 13:58:49.391825 0022.5560.3601 0013.c480.5e0b 0x0800 62: 172.16.0.166.56581 > 1.2.3.4.80: S [tcp sum ok] 2272504169:2272504169(0) win 8192 (DF) (ttl 127, id 27973)

I guess this shows the same MAC for both source and destination?

Thanks.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to iholdings

‎12-02-2010 02:58 PM

Indeed same source and destination mac address shows that packet is not looping.

What's the message exactly in the ASA logs  and if you could put things in perspective (topology etc).IP addresses involve don't make much sense to me.

In anyway there is no way to disable the LAND attack check in code, but there were instances where it was printed out without need.

Vide:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl96584

Marcin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card