Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
2
Replies

Denied land attacks

dsmithacg
Level 1
Level 1

‎05-06-2009 04:58 AM - edited ‎03-11-2019 08:28 AM

Hi All,

Within our 6500 we're seeing the following error messages being recorded by the FWSM syslog:

%FWSM-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 2.3.4.x

I understand through my research that typically the land attacks have the same source and destination IP and ports, but these do not. We receive the message 2-6 times a minute and the destination IP *always* varies (source always remains the same) across lan segments, not just individual IPs within the 2.3.4.x segment.

Ideally I'd like to get the MAC address for the source, but nothing seems to be found in ARP tables and such. I've also attempted to run a capture on the raw-data and asp-drop to no avail. It doesn't record the packets for further review.

What else can I do to track down where this is coming from? I know the FWSM is doing its job by denying it, but I need to know if its coming from our private network and who the troublesome host is in general.

Thank you kindly for any assistance you can provide. I'm fresh out of ideas...

--Dave

Labels:
0 Helpful
2 Replies 2

htarra
Level 4
Level 4

‎05-12-2009 03:44 AM

Explanation for the error message - The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.

Recommended Action - If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.

Also PIX dropping the packets that are suspected to form an attack, so the PIX is protecting your network from the attack but it won't stop the source of this traffic from generating these packets.

Check the IP address of the ouside vlan interface.

0 Helpful

r-currier
Level 1
Level 1
In response to htarra

‎08-14-2009 11:58 AM

I am seeing the same log entry on my PIX firewall. But the traffic is coming from inside my network. The log follows:

%PIX-2-106017: Deny IP due to Land Attack from 65.65.65.65 to 65.65.65.65

I want to debug the ip flow to it's ingress point into the network. But I'm not having much luck as show ip cef commands don't seem to provide any useful data. I remember CAT-OS having some flow debugging capability via the show ip mls flow commands. Does the 6500 or 7600 running fairly recent IOS have the capability of debugging the flows from ingress to egress interface?

I appreciate your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card