Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Deny IP due to Land Attack

Posted on 2009-05-14
9
Medium Priority
?
13,814 Views
Last Modified: 2013-11-05
I've been seeing this in my syslog from my Cisco ASA 5520.

%ASA-2-106017: Deny IP due to Land Attack from 216.x.x.10 to 216.x.x.10.

This is our outside global IP address. Why is my ASA reporting and blocking this.  We just installed a new Cisco ACE load balancer, and it seems that these have been increasing in the last week since we installed it.

Is there anything I can do to allow all this traffic through? Because I was looking at one of the service policy's on my ACE for load balancing HTTP traffic and i see alot of dropped connections, and I'm not sure if the ASA is causing the drops.

class: HTTP_Class
      loadbalance:
        L7 loadbalance policy: HTTP_Class
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 496       , hit count        : 422286    
        dropped conns    : 1235      
        client pkt count : 6513058   , client byte count: 1164321881          
        server pkt count : 9363507   , server byte count: 10079163107        
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0  

Any thoughts?

0
Comment
Question by:ngaba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24391510
A land attack is when a packet contains the same IP address as the source and destination.  This is an invalid connection and the ASA is dropping it appropriately.  This is most likely occurring because something is trying to connect to the outside IP and is being PAT'd to the outside IP hence the same source and destination.  This type of connectivity won't ever work.  I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it.  This is coming from the inside of the ASA.  Is ACE doing a health check to the public PAT IP on the ASA?
0
 
LVL 2

Author Comment

by:ngaba
ID: 24396295
I do have the health probes, but this has been happening before I even installed the ACE. I just recently started seeing more of these in the syslog.

"I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it."

How can  i do this? show accounting?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396980
You can do a packet capture on the ASA and use an access-list to key in on the 216.x.x.10 IP as the destination or you can try adding an access-list to the inside interface that permits and logs traffic to the 216.x.x.10 IP but then permits all other traffic.

access-list inside_access_in extended permit ip any host 216.x.x.10 log
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside

Or look at your monitoring servers (if you have them) to determine if anything is monitoring that IP.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397181
Actually, looks like as long as you are syslogging off messages (informational), you can search your syslog file for the ASA and search for "looping-address" which appears as a connection teardown.  It includes the real inside IP address involved in the Land Attack.
0
 
LVL 2

Author Comment

by:ngaba
ID: 24412929
So would i change the buffered log to informational and wait for another land attack to happen and see whats in there?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24412988
You really can't use the buffer since it rolls over way to frequently but you can try.  Using a syslog server would make things much easier.
0
 
LVL 2

Author Comment

by:ngaba
ID: 24483925
Whats the best way to do this? Turn the syslogging up to informational and wait til another land attack happens?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24484867
Yes, correct.  Once one occurs, search your syslog file for "looping-address".
0
 

Expert Comment

by:amith_roy1
ID: 25120069
hostname(config)# ip verify reverse-path interface interface_name

Try this, It may help you.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question