Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2522
Views
0
Helpful
2
Replies

Land Attack on Cisco ASA

nishchay nadkarni
Level 1
Level 1

‎06-27-2014 02:22 AM - edited ‎07-05-2021 01:07 AM

Hi,

 

I have cisco 5520 ASA running 8.4 version. We are getting below logs on our firewall continuously. This has started after upgrading it to 8.4 from 8.2

NLDCF2-Ext : %ASA-2-106017: Deny IP due to Land Attack from x.x.x.x to x.x.x.x

where x.x.x.x is the PAT IP address used by clients to go to internet through outside interface.

The CPU utilisation is also crossing 90 % (not sure if it is related to this)

 

When I run capture, I see source address as public addresses and destination address as x.x.x.x and these packets are egressing outside interface. So this seems to be packet spoofing attack as well.

 

Can anyone help to resolve this issue? Can it be related to high CPU utilisation?

Labels:
0 Helpful
2 Replies 2

mohanak
Cisco Employee
Cisco Employee

‎06-30-2014 03:23 AM

CSCtr93086 ASA Failover: 106017 Deny IP due to Land Attack

its a bug please update the version patch

Known Affected Releases:
(2)
8.4(1.9)
8.2(4)
0 Helpful

Ravi Singh
Level 7
Level 7

‎07-01-2014 03:29 AM

The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.

Recommended Action: If this message persists, an attack might be in progress. The packet does not provide enough information to determine where the attack originates.

%PIX|ASA-1-106021: Deny protocol reverse path check from 
source_address to dest_address on interface interface_name

Explanation

An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your security appliance.

This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface. If it is configured on the outside, then the security appliance checks packets arriving from the outside.

The security appliance looks up a route based on the source address. If an entry is not found and a route is not defined, then this system log message appears and the connection is dropped.

If there is a route, the security appliance checks which interface it corresponds. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The security appliance does not support asymmetric routing.

If the security appliance is configured on an internal interface, it checks static route command statements or RIP. If the source address is not found, then an internal user is spoofing their address.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card