Syslog ASA-2-106017 - Land Attack

Unanswered Question
Jan 29th, 2009

I came across this syslog message while troubleshooting an access issue and real-time log viewing. This syslog message looks serious, but how and what do you do?

Syslog ASA-2-106017 : Deny IP due to Land Attack from IP_address to IP_address.

The land attack lists the IP addresses to be my outside global address. That is the address I use for internet traffic!

Not sure how to treat this issue?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Fri, 01/30/2009 - 00:58

This message appears when you have enabled Unicast RPF.

Even though an attack is in progress, if this feature is enabled, no

user action is required. The Cisco ASA repels the attack.


highmiles2 Fri, 01/30/2009 - 07:04

Hi Syed,

I did not enable Unicast RPF.

Is this feature enabled by default?

How does the ASA repel the attack?

Any recommended reading about this on Cisco?



zbigniewkozyra Fri, 01/30/2009 - 18:51

I have the same issue on my ASA just source and destination IP are

I posted this issue here and got reply from someone with the following explenation:

"Somebody has released a program, known as land.c, which can be used to launch denial of service attacks against various TCP implementations. The program sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination."

You can read about land.c on Cisco web:">


highmiles2 Mon, 02/09/2009 - 12:01

...i checked the advisory, and it is 12 years old.....that is way too old....


This Discussion