Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
0
Helpful
2
Replies

Ideas for diagnosing land-attack

snowmizer
Level 1
Level 1

‎04-21-2011 07:09 AM - edited ‎03-03-2019 06:15 AM

We are getting "Deny IP due to land attack" messages on our ASA approximately every 5 minutes. I have done some diagnostic work and have found the "looping-address" record associated with this attack. From that it appear that the problem is happening from the NAT IP address for our domain controller on our DMZ interface to the private IP for this same domain controller on our inside interface. The looping address shows:

Deny IP due to land attack from 172.a.b.c to 172.a.b.c

the Teardown connection for the looping-address shows:

Teardown TCP connection 123456 for DMZ:172.a.b.c/389 to inside:10.b.c.d/60000

To me this looks like the LDAP port is being used. What I haven't been able to find yet is what is causing this. I've run wireshark on one of our DMZ servers and looked for the traffic causing this but haven't found anything. We even tried shutting down the servers on the DMZ one at a time to see if the message would disapear. So far nothing has worked.

At this point I'm out of ideas. Can anyone give me some pointers on where else I can look for this issue? You'll save my sanity if you can help me figure this out.

Thanks.

Labels:
0 Helpful
2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

‎04-22-2011 01:26 AM

Try updating the ASA, it has many bugs also.

0 Helpful

snowmizer
Level 1
Level 1
In response to paolo bevilacqua

‎04-22-2011 06:18 AM

ASA is running 8.4(1). After posting this I continued to look at the problem. Put Wireshark on the DC and was able to figure it out. Turns out the originator was one of our domain controllers sending ldap requests to the NAT address from our DMZ. A couple of weeks ago we put a new server into production on our DMZ. The problem started at this time. Turns out that at some point the person doing the upgrade put a host file on this DC with the same info that was in the host file on the new DMZ server. Created more problems than just the land attack. Caused problems with our log management systems receiving logs from the DMZ servers.

Anyway problem is fixed. Hopefully this can help someone else if they run across a similar issue.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card