Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 14253
  • Last Modified:

Deny IP due to Land Attack

I've been seeing this in my syslog from my Cisco ASA 5520.

%ASA-2-106017: Deny IP due to Land Attack from 216.x.x.10 to 216.x.x.10.

This is our outside global IP address. Why is my ASA reporting and blocking this.  We just installed a new Cisco ACE load balancer, and it seems that these have been increasing in the last week since we installed it.

Is there anything I can do to allow all this traffic through? Because I was looking at one of the service policy's on my ACE for load balancing HTTP traffic and i see alot of dropped connections, and I'm not sure if the ASA is causing the drops.

class: HTTP_Class
      loadbalance:
        L7 loadbalance policy: HTTP_Class
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 496       , hit count        : 422286    
        dropped conns    : 1235      
        client pkt count : 6513058   , client byte count: 1164321881          
        server pkt count : 9363507   , server byte count: 10079163107        
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0  

Any thoughts?

0
ngaba
Asked:
ngaba
  • 5
  • 3
1 Solution
 
JFrederick29Commented:
A land attack is when a packet contains the same IP address as the source and destination.  This is an invalid connection and the ASA is dropping it appropriately.  This is most likely occurring because something is trying to connect to the outside IP and is being PAT'd to the outside IP hence the same source and destination.  This type of connectivity won't ever work.  I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it.  This is coming from the inside of the ASA.  Is ACE doing a health check to the public PAT IP on the ASA?
0
 
ngabaAuthor Commented:
I do have the health probes, but this has been happening before I even installed the ACE. I just recently started seeing more of these in the syslog.

"I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it."

How can  i do this? show accounting?
0
 
JFrederick29Commented:
You can do a packet capture on the ASA and use an access-list to key in on the 216.x.x.10 IP as the destination or you can try adding an access-list to the inside interface that permits and logs traffic to the 216.x.x.10 IP but then permits all other traffic.

access-list inside_access_in extended permit ip any host 216.x.x.10 log
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside

Or look at your monitoring servers (if you have them) to determine if anything is monitoring that IP.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
JFrederick29Commented:
Actually, looks like as long as you are syslogging off messages (informational), you can search your syslog file for the ASA and search for "looping-address" which appears as a connection teardown.  It includes the real inside IP address involved in the Land Attack.
0
 
ngabaAuthor Commented:
So would i change the buffered log to informational and wait for another land attack to happen and see whats in there?
0
 
JFrederick29Commented:
You really can't use the buffer since it rolls over way to frequently but you can try.  Using a syslog server would make things much easier.
0
 
ngabaAuthor Commented:
Whats the best way to do this? Turn the syslogging up to informational and wait til another land attack happens?
0
 
JFrederick29Commented:
Yes, correct.  Once one occurs, search your syslog file for "looping-address".
0
 
amith_roy1Commented:
hostname(config)# ip verify reverse-path interface interface_name

Try this, It may help you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now