ASA Land Attack - how does the system respond?

Unanswered Question
Feb 18th, 2009
User Badges:

Hope you can help

I have a ASA 5520 and was testing vpn configuration using the packet tracer in asdm. Due to a typo I simiuated a land attack (ie same source and destination address). The ASA then blocked connections to some ip addresses (other services were fine) but nothing appeared in the logs at warning level after the Land Attack error.

My main question is what is the ASA's default response to this? Will the system reset the block and after how long? Anti spoofing and basic security are enabled.

I fixed the fault with a reload but there must be a neater way to do this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
robertson.michael Wed, 02/18/2009 - 12:43
User Badges:
  • Silver, 250 points or more

Hi Jim,


To the best of my knowledge, the default behavior of the ASA is that message ASA-2-106017 will be logged and the offending packet will be dropped. However, the ASA does not automatically shun the IP address to block any further traffic.


If you are using the threat detection feature in ASA 8.0, you can create a configuration such that a detected attacker IP address will be automatically shunned. If this feature is enabled, the attacker is shunned for 1 hour, though this value is also optionally configured.


Here is the configuration guide for threat detection:


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058270


Maybe someone else can chime in that has seen this happen before?


-Mike

jimtaylorcisco Fri, 02/20/2009 - 01:06
User Badges:

Hi Mike

Thanks for that, I have been through most of this documentation but unfortunately doing a reload to get the full functionality back meant that I have been unable to trace the details of what happened or duplicate this issue. Thanks for you help though, if it do get a resolution I will post something here

cheers, Jim

Actions

This Discussion