Solved

Deny IP due to Land Attack

Posted on 2009-05-14
9
13,286 Views
Last Modified: 2013-11-05
I've been seeing this in my syslog from my Cisco ASA 5520.

%ASA-2-106017: Deny IP due to Land Attack from 216.x.x.10 to 216.x.x.10.

This is our outside global IP address. Why is my ASA reporting and blocking this.  We just installed a new Cisco ACE load balancer, and it seems that these have been increasing in the last week since we installed it.

Is there anything I can do to allow all this traffic through? Because I was looking at one of the service policy's on my ACE for load balancing HTTP traffic and i see alot of dropped connections, and I'm not sure if the ASA is causing the drops.

class: HTTP_Class
      loadbalance:
        L7 loadbalance policy: HTTP_Class
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 496       , hit count        : 422286    
        dropped conns    : 1235      
        client pkt count : 6513058   , client byte count: 1164321881          
        server pkt count : 9363507   , server byte count: 10079163107        
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0  

Any thoughts?

0
Comment
Question by:ngaba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24391510
A land attack is when a packet contains the same IP address as the source and destination.  This is an invalid connection and the ASA is dropping it appropriately.  This is most likely occurring because something is trying to connect to the outside IP and is being PAT'd to the outside IP hence the same source and destination.  This type of connectivity won't ever work.  I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it.  This is coming from the inside of the ASA.  Is ACE doing a health check to the public PAT IP on the ASA?
0
 
LVL 2

Author Comment

by:ngaba
ID: 24396295
I do have the health probes, but this has been happening before I even installed the ACE. I just recently started seeing more of these in the syslog.

"I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it."

How can  i do this? show accounting?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396980
You can do a packet capture on the ASA and use an access-list to key in on the 216.x.x.10 IP as the destination or you can try adding an access-list to the inside interface that permits and logs traffic to the 216.x.x.10 IP but then permits all other traffic.

access-list inside_access_in extended permit ip any host 216.x.x.10 log
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside

Or look at your monitoring servers (if you have them) to determine if anything is monitoring that IP.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397181
Actually, looks like as long as you are syslogging off messages (informational), you can search your syslog file for the ASA and search for "looping-address" which appears as a connection teardown.  It includes the real inside IP address involved in the Land Attack.
0
 
LVL 2

Author Comment

by:ngaba
ID: 24412929
So would i change the buffered log to informational and wait for another land attack to happen and see whats in there?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24412988
You really can't use the buffer since it rolls over way to frequently but you can try.  Using a syslog server would make things much easier.
0
 
LVL 2

Author Comment

by:ngaba
ID: 24483925
Whats the best way to do this? Turn the syslogging up to informational and wait til another land attack happens?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24484867
Yes, correct.  Once one occurs, search your syslog file for "looping-address".
0
 

Expert Comment

by:amith_roy1
ID: 25120069
hostname(config)# ip verify reverse-path interface interface_name

Try this, It may help you.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5510 PAT question 1 31
How to set DHCPv6 options on a Sonicwall? 13 199
NAT on Fortigate 2 18
Objects in Cisco ASA 2 8
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question