Land Attack

Hi,

We have a lot of messages about land attack in our ASA (5540) firewall:
"
ASA-2-106017: Deny IP due to Land Attack from A.B.C.149 to A.B.C.149
...
"
A.B.C.149 is public IP address for about 32 local IP that PATed to it.

Proxy ARP is enabled on outside and two inside interfaces. Topology is attached.

Sincerely
Salmanian
Top.png
Zolfaghar SalmanianNetwork ExpertAsked:
Who is Participating?
 
JohnConnect With a Mentor Commented:
I think there is a chance it is the Proxy ARP doing it.  

In your diagram, there appears to be a loop.  

If an arp request is received by X.Y.Z.2, it will be re transmitted on 172.50.0.25 AND 172.50.0.17.

You have a device that looks like a switch in your diagram called RAS which is linked to 172.50.017 and via the core switch to 172.50.0.25.  

This could see a packet come in via X.Y.Z.2 which presumably is the A.B.C.146 in the log snippet, go out on either 172.50.0.17 or 172.50.0.25 and come back on the other one.  

In this case the ASA is both the source and the destination = Land Attack resulting in the log entry.
0
 
JohnCommented:
What is the question?
1
 
JustInCaseCommented:
Land attack is attach with source and destination IP address is the same. Source and destination IP address can't be the same, if you think about it - recipient of traffic should forward return traffic to itself. So, if there is a traffic with the same source and destination address, it is malicious traffic and it should be dropped.
1
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
JohnCommented:
I agree with Pregrag.  However, I don't know what you are asking us.
0
 
Zolfaghar SalmanianNetwork ExpertAuthor Commented:
I want to know if there is a real attack or it may be caused by proxy arp that is enabled on interfaces, I think that it cannot be a real attack because most of PATed addresses are in such messages. If it is because of proxy arp, how I can solve it (disabling proxy arp prevents local traffic to go out).

I really appreciate your concern.

Regards
0
 
JohnCommented:
Really to see this, you need to look at the traffic.  

Which interface is the traffic coming from?  Can you sniff that segment with wireshark?  

If it is a local attack, you will see traffic from another MAC address with source address A.B.C.149.  

If not, you may see it routed from somewhere external (for example, sniffing a monitor port on the switch labelled "Switch with SFP")

If you sniff packets without the MAC address of A.B.C.149 in the ethernet frame, then it is definitely coming from somewhere external and is either an attack or some convoluted mis-configuration.  This would be an attack too.  

If you are thorough and can find neither, then I would suggest it is not an attack.  

When you get looking, it could throw up some more subtelties, but this is where I would start.  

On another note, I am a little confused by the need for proxy arp.  

I'd use proxy arp if I needed to send L2 traffic across the firewall.  

It looks from your diagram as if the firewall is routing, which is layer 3.  On the protected side, the subnet is 175.50.0.0.  I get this because on the 'public' side, it is labelled X.Y.Z.0 which suggests another subnet.  

You only ARP if it is local (layer 2) to get a MAC address from another segment.  

I am assuming that A.B.C.149 is really X.Y.Z.149?
0
 
JustInCaseCommented:
Packet with the same source and destination is malicious packet. It may be result of misconfiguration, however it still malicious traffic that can/will cause problems to destination host. Best case scenario - CPU usage will increase, worst case scenario - denial of service.
0
 
atlas_shudderedSr. Network EngineerCommented:
What is the interface and directionality of the traffic?  LAN - In/Out, WAN - In/Out?
0
 
Zolfaghar SalmanianNetwork ExpertAuthor Commented:
Dear atlas_shuddered,
This ASA connects our LAN to Internet having two interfaces for inside purpose (with different security level) and one outside interface that connects to a switch with sfp module which ISP is also connected to.
0
 
atlas_shudderedSr. Network EngineerCommented:
Okay, are you seeing the errors on the inside or outside interface and in which direction are you seeing those hits?
0
 
JohnCommented:
What is the 'RAS' device?
0
 
Zolfaghar SalmanianNetwork ExpertAuthor Commented:
The errors appears in outside interface and source and destination addresses are the same (the PATed address of Internet users).
RAS device is mikrotik 1036CCR.
0
 
atlas_shudderedSr. Network EngineerCommented:
but are the packets inbound from the internet our outbound to?
0
 
Zolfaghar SalmanianNetwork ExpertAuthor Commented:
Sorry for my late reply!
It seems that inbound from the internet but I am really able to recognize it from syslog messages.

Regards
0
 
JohnCommented:
This is a Land attack.  I think my suggestion was the only real suggestion as to how this attack came around, other posts either defined what a LAND attack was or asked for more information.  

I stand by my assessment based upon limited information available that it is a layer 2 loop causing this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.