Denied land attacks

Unanswered Question
May 6th, 2009

Hi All,

Within our 6500 we're seeing the following error messages being recorded by the FWSM syslog:

%FWSM-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 2.3.4.x

I understand through my research that typically the land attacks have the same source and destination IP and ports, but these do not. We receive the message 2-6 times a minute and the destination IP *always* varies (source always remains the same) across lan segments, not just individual IPs within the 2.3.4.x segment.

Ideally I'd like to get the MAC address for the source, but nothing seems to be found in ARP tables and such. I've also attempted to run a capture on the raw-data and asp-drop to no avail. It doesn't record the packets for further review.

What else can I do to track down where this is coming from? I know the FWSM is doing its job by denying it, but I need to know if its coming from our private network and who the troublesome host is in general.

Thank you kindly for any assistance you can provide. I'm fresh out of ideas...

--Dave

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
htarra Tue, 05/12/2009 - 03:44

Explanation for the error message - The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.

Recommended Action - If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.

Also PIX dropping the packets that are suspected to form an attack, so the PIX is protecting your network from the attack but it won't stop the source of this traffic from generating these packets.

Check the IP address of the ouside vlan interface.

r-currier Fri, 08/14/2009 - 11:58

I am seeing the same log entry on my PIX firewall. But the traffic is coming from inside my network. The log follows:

%PIX-2-106017: Deny IP due to Land Attack from 65.65.65.65 to 65.65.65.65

I want to debug the ip flow to it's ingress point into the network. But I'm not having much luck as show ip cef commands don't seem to provide any useful data. I remember CAT-OS having some flow debugging capability via the show ip mls flow commands. Does the 6500 or 7600 running fairly recent IOS have the capability of debugging the flows from ingress to egress interface?

I appreciate your help.

Actions

This Discussion