Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1455
  • Last Modified:

Cisco ASA5510 - LAND ATTACK

I want to know if there is anything else I should be doing to mitigate against a Denial of Service Attack that I am currently experiencing.  I have a customer whose network was very slow.  I got into the ASA5510 and saw it was being hammered.  Over 50,000 connections to some of my static NAT's.  I was losing 2 out of every 4 pings to the ASA because it was so overloaded.  I set a per connection client limit on the addresses being targeting on my network, which seems to have  mitigated the problem, but now I'm constantly seeing messages that that per-client connection has been exceeded, as well as a message stating "Deny IP due to Land Attack from x.x.x.136 to x.x.x.136."  Source and destination are the same.  I called my ISP, but I got an email stating that it may take them awhile to investigate due to the amount of abuse emails they receive.  Is there anything else I can do to stop the attack?
0
denver218
Asked:
denver218
3 Solutions
 
rharland2009Commented:
https://supportforums.cisco.com/docs/DOC-14318

This is a decent rundown of why you may be seeing these.
Is the IP address mentioned in the Land Attack one of yours, or one you're not familiar with?
0
 
denver218Author Commented:
It's one of my Addresses in my public IP block
0
 
naderzCommented:
Do you have IPS enabled? If so, try disabling that and test. You may be experiencing false positives.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
asavenerCommented:
If you access any of your internal/published resources via their public IP addresses, then the LAND attack notifications are likely due to that.
0
 
denver218Author Commented:
Thanks for all your comments.  It was DoS attack, the ASA was doing its job blocking all the traffic, but I had to report it to the ISP so they could put an ACL on their side to stop the traffic.  It was coming in at such high rates, that I had to get the ISP involved.  The ISP saw it right away and was able to take care of it.  Thanks.
0
 
denver218Author Commented:
Thanks.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now