Land Attack

Hi,

We have a lot of messages about land attack in our ASA (5540) firewall:
"
ASA-2-106017: Deny IP due to Land Attack from A.B.C.149 to A.B.C.149
...
"
A.B.C.149 is public IP address for about 32 local IP that PATed to it.

Proxy ARP is enabled on outside and two inside interfaces. Topology is attached.

Sincerely
Salmanian
Top.png
Zolfaghar SalmanianNetwork ExpertAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnCommented:
What is the question?
1
JustInCaseCommented:
Land attack is attach with source and destination IP address is the same. Source and destination IP address can't be the same, if you think about it - recipient of traffic should forward return traffic to itself. So, if there is a traffic with the same source and destination address, it is malicious traffic and it should be dropped.
1
JohnCommented:
I agree with Pregrag.  However, I don't know what you are asking us.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Zolfaghar SalmanianNetwork ExpertAuthor Commented:
I want to know if there is a real attack or it may be caused by proxy arp that is enabled on interfaces, I think that it cannot be a real attack because most of PATed addresses are in such messages. If it is because of proxy arp, how I can solve it (disabling proxy arp prevents local traffic to go out).

I really appreciate your concern.

Regards
0
JohnCommented:
Really to see this, you need to look at the traffic.  

Which interface is the traffic coming from?  Can you sniff that segment with wireshark?  

If it is a local attack, you will see traffic from another MAC address with source address A.B.C.149.  

If not, you may see it routed from somewhere external (for example, sniffing a monitor port on the switch labelled "Switch with SFP")

If you sniff packets without the MAC address of A.B.C.149 in the ethernet frame, then it is definitely coming from somewhere external and is either an attack or some convoluted mis-configuration.  This would be an attack too.  

If you are thorough and can find neither, then I would suggest it is not an attack.  

When you get looking, it could throw up some more subtelties, but this is where I would start.  

On another note, I am a little confused by the need for proxy arp.  

I'd use proxy arp if I needed to send L2 traffic across the firewall.  

It looks from your diagram as if the firewall is routing, which is layer 3.  On the protected side, the subnet is 175.50.0.0.  I get this because on the 'public' side, it is labelled X.Y.Z.0 which suggests another subnet.  

You only ARP if it is local (layer 2) to get a MAC address from another segment.  

I am assuming that A.B.C.149 is really X.Y.Z.149?
0
JustInCaseCommented:
Packet with the same source and destination is malicious packet. It may be result of misconfiguration, however it still malicious traffic that can/will cause problems to destination host. Best case scenario - CPU usage will increase, worst case scenario - denial of service.
0
JohnCommented:
I think there is a chance it is the Proxy ARP doing it.  

In your diagram, there appears to be a loop.  

If an arp request is received by X.Y.Z.2, it will be re transmitted on 172.50.0.25 AND 172.50.0.17.

You have a device that looks like a switch in your diagram called RAS which is linked to 172.50.017 and via the core switch to 172.50.0.25.  

This could see a packet come in via X.Y.Z.2 which presumably is the A.B.C.146 in the log snippet, go out on either 172.50.0.17 or 172.50.0.25 and come back on the other one.  

In this case the ASA is both the source and the destination = Land Attack resulting in the log entry.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atlas_shudderedSr. Network EngineerCommented:
What is the interface and directionality of the traffic?  LAN - In/Out, WAN - In/Out?
0
Zolfaghar SalmanianNetwork ExpertAuthor Commented:
Dear atlas_shuddered,
This ASA connects our LAN to Internet having two interfaces for inside purpose (with different security level) and one outside interface that connects to a switch with sfp module which ISP is also connected to.
0
atlas_shudderedSr. Network EngineerCommented:
Okay, are you seeing the errors on the inside or outside interface and in which direction are you seeing those hits?
0
JohnCommented:
What is the 'RAS' device?
0
Zolfaghar SalmanianNetwork ExpertAuthor Commented:
The errors appears in outside interface and source and destination addresses are the same (the PATed address of Internet users).
RAS device is mikrotik 1036CCR.
0
atlas_shudderedSr. Network EngineerCommented:
but are the packets inbound from the internet our outbound to?
0
Zolfaghar SalmanianNetwork ExpertAuthor Commented:
Sorry for my late reply!
It seems that inbound from the internet but I am really able to recognize it from syslog messages.

Regards
0
JohnCommented:
This is a Land attack.  I think my suggestion was the only real suggestion as to how this attack came around, other posts either defined what a LAND attack was or asked for more information.  

I stand by my assessment based upon limited information available that it is a layer 2 loop causing this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.