Cisco ASA5510 - LAND ATTACK

I want to know if there is anything else I should be doing to mitigate against a Denial of Service Attack that I am currently experiencing.  I have a customer whose network was very slow.  I got into the ASA5510 and saw it was being hammered.  Over 50,000 connections to some of my static NAT's.  I was losing 2 out of every 4 pings to the ASA because it was so overloaded.  I set a per connection client limit on the addresses being targeting on my network, which seems to have  mitigated the problem, but now I'm constantly seeing messages that that per-client connection has been exceeded, as well as a message stating "Deny IP due to Land Attack from x.x.x.136 to x.x.x.136."  Source and destination are the same.  I called my ISP, but I got an email stating that it may take them awhile to investigate due to the amount of abuse emails they receive.  Is there anything else I can do to stop the attack?
LVL 4
denver218Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
rharland2009Connect With a Mentor Commented:
https://supportforums.cisco.com/docs/DOC-14318

This is a decent rundown of why you may be seeing these.
Is the IP address mentioned in the Land Attack one of yours, or one you're not familiar with?
0
 
denver218Author Commented:
It's one of my Addresses in my public IP block
0
 
naderzConnect With a Mentor Commented:
Do you have IPS enabled? If so, try disabling that and test. You may be experiencing false positives.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
asavenerConnect With a Mentor Commented:
If you access any of your internal/published resources via their public IP addresses, then the LAND attack notifications are likely due to that.
0
 
denver218Author Commented:
Thanks for all your comments.  It was DoS attack, the ASA was doing its job blocking all the traffic, but I had to report it to the ISP so they could put an ACL on their side to stop the traffic.  It was coming in at such high rates, that I had to get the ISP involved.  The ISP saw it right away and was able to take care of it.  Thanks.
0
 
denver218Author Commented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.