Solved

Deny IP due to Land Attack

Posted on 2009-05-14
9
13,116 Views
Last Modified: 2013-11-05
I've been seeing this in my syslog from my Cisco ASA 5520.

%ASA-2-106017: Deny IP due to Land Attack from 216.x.x.10 to 216.x.x.10.

This is our outside global IP address. Why is my ASA reporting and blocking this.  We just installed a new Cisco ACE load balancer, and it seems that these have been increasing in the last week since we installed it.

Is there anything I can do to allow all this traffic through? Because I was looking at one of the service policy's on my ACE for load balancing HTTP traffic and i see alot of dropped connections, and I'm not sure if the ASA is causing the drops.

class: HTTP_Class
      loadbalance:
        L7 loadbalance policy: HTTP_Class
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 496       , hit count        : 422286    
        dropped conns    : 1235      
        client pkt count : 6513058   , client byte count: 1164321881          
        server pkt count : 9363507   , server byte count: 10079163107        
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0  

Any thoughts?

0
Comment
Question by:ngaba
  • 5
  • 3
9 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24391510
A land attack is when a packet contains the same IP address as the source and destination.  This is an invalid connection and the ASA is dropping it appropriately.  This is most likely occurring because something is trying to connect to the outside IP and is being PAT'd to the outside IP hence the same source and destination.  This type of connectivity won't ever work.  I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it.  This is coming from the inside of the ASA.  Is ACE doing a health check to the public PAT IP on the ASA?
0
 
LVL 2

Author Comment

by:ngaba
ID: 24396295
I do have the health probes, but this has been happening before I even installed the ACE. I just recently started seeing more of these in the syslog.

"I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it."

How can  i do this? show accounting?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396980
You can do a packet capture on the ASA and use an access-list to key in on the 216.x.x.10 IP as the destination or you can try adding an access-list to the inside interface that permits and logs traffic to the 216.x.x.10 IP but then permits all other traffic.

access-list inside_access_in extended permit ip any host 216.x.x.10 log
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside

Or look at your monitoring servers (if you have them) to determine if anything is monitoring that IP.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397181
Actually, looks like as long as you are syslogging off messages (informational), you can search your syslog file for the ASA and search for "looping-address" which appears as a connection teardown.  It includes the real inside IP address involved in the Land Attack.
0
 
LVL 2

Author Comment

by:ngaba
ID: 24412929
So would i change the buffered log to informational and wait for another land attack to happen and see whats in there?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24412988
You really can't use the buffer since it rolls over way to frequently but you can try.  Using a syslog server would make things much easier.
0
 
LVL 2

Author Comment

by:ngaba
ID: 24483925
Whats the best way to do this? Turn the syslogging up to informational and wait til another land attack happens?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24484867
Yes, correct.  Once one occurs, search your syslog file for "looping-address".
0
 

Expert Comment

by:amith_roy1
ID: 25120069
hostname(config)# ip verify reverse-path interface interface_name

Try this, It may help you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now