Solved

Deny IP due to Land Attack

Posted on 2009-05-14
9
12,935 Views
Last Modified: 2013-11-05
I've been seeing this in my syslog from my Cisco ASA 5520.

%ASA-2-106017: Deny IP due to Land Attack from 216.x.x.10 to 216.x.x.10.

This is our outside global IP address. Why is my ASA reporting and blocking this.  We just installed a new Cisco ACE load balancer, and it seems that these have been increasing in the last week since we installed it.

Is there anything I can do to allow all this traffic through? Because I was looking at one of the service policy's on my ACE for load balancing HTTP traffic and i see alot of dropped connections, and I'm not sure if the ASA is causing the drops.

class: HTTP_Class
      loadbalance:
        L7 loadbalance policy: HTTP_Class
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 496       , hit count        : 422286    
        dropped conns    : 1235      
        client pkt count : 6513058   , client byte count: 1164321881          
        server pkt count : 9363507   , server byte count: 10079163107        
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0  

Any thoughts?

0
Comment
Question by:ngaba
  • 5
  • 3
9 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24391510
A land attack is when a packet contains the same IP address as the source and destination.  This is an invalid connection and the ASA is dropping it appropriately.  This is most likely occurring because something is trying to connect to the outside IP and is being PAT'd to the outside IP hence the same source and destination.  This type of connectivity won't ever work.  I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it.  This is coming from the inside of the ASA.  Is ACE doing a health check to the public PAT IP on the ASA?
0
 
LVL 2

Author Comment

by:ngaba
ID: 24396295
I do have the health probes, but this has been happening before I even installed the ACE. I just recently started seeing more of these in the syslog.

"I would try to figure out what is trying to connect to your public IP from the inside and either stop it or just let the ASA continue to reject it."

How can  i do this? show accounting?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24396980
You can do a packet capture on the ASA and use an access-list to key in on the 216.x.x.10 IP as the destination or you can try adding an access-list to the inside interface that permits and logs traffic to the 216.x.x.10 IP but then permits all other traffic.

access-list inside_access_in extended permit ip any host 216.x.x.10 log
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside

Or look at your monitoring servers (if you have them) to determine if anything is monitoring that IP.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397181
Actually, looks like as long as you are syslogging off messages (informational), you can search your syslog file for the ASA and search for "looping-address" which appears as a connection teardown.  It includes the real inside IP address involved in the Land Attack.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Author Comment

by:ngaba
ID: 24412929
So would i change the buffered log to informational and wait for another land attack to happen and see whats in there?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24412988
You really can't use the buffer since it rolls over way to frequently but you can try.  Using a syslog server would make things much easier.
0
 
LVL 2

Author Comment

by:ngaba
ID: 24483925
Whats the best way to do this? Turn the syslogging up to informational and wait til another land attack happens?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24484867
Yes, correct.  Once one occurs, search your syslog file for "looping-address".
0
 

Expert Comment

by:amith_roy1
ID: 25120069
hostname(config)# ip verify reverse-path interface interface_name

Try this, It may help you.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now