Deny IP due to Land Attack

Answered Question
Mar 28th, 2011
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Dear Team,

We are getting continuously log created as below in ASA 5510. I suspect something is going wrong (like system is getting compromised ? )

Note: I have changed the actually public IP to 1.1.1.1 for some security cause.

Log..

Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:22: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:20 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:21 124.153.100.44 Mar 18 2011 21:46:24: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1

ASA 5510 config

#static (inside,outside) 1.1.1.1 192.168.1.20 netmask 255.255.255.255

#access-list 101 extended permit tcp any host 1.1.1.1 eq www
#access-list 101 extended permit tcp any host 1.1.1.1 eq https
#access-list 101 extended permit tcp any host 1.1.1.1 eq 3306
#access-list 101 extended permit tcp any host 1.1.1.1 range ftp-data ftp

#access-group 101 in interface outside

Please suggest.

Regards,

Narendra

I have this problem too.
0 votes
Correct Answer by Paul Gilbert Arias about 3 years 3 weeks ago

Usually thia log gets generated when traffic goes from inside and the destination is translated ip of that sam source ip. In this case the inside IP that you have on the static nat could be trying to send traffic to the destination IP 1.1.1.1.

It is hard to prove it but you could try setting captures or checking if that inside host if really trying to send traffic to 1.1.1.1.

I hpe this helps.

Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Paul Gilbert Arias Mon, 03/28/2011 - 05:56

Usually thia log gets generated when traffic goes from inside and the destination is translated ip of that sam source ip. In this case the inside IP that you have on the static nat could be trying to send traffic to the destination IP 1.1.1.1.

It is hard to prove it but you could try setting captures or checking if that inside host if really trying to send traffic to 1.1.1.1.

I hpe this helps.

Sent from Cisco Technical Support iPhone App

k.narendranath Mon, 03/28/2011 - 22:37

Hi Paul Gilbert Arias,


Thx for your update, yes i tryied capturing this Deny IP land attack and found output as below.

CINBLR01-FLTR-FIREWALL-00001# sh capture test | in 1.1.1.1


    7: 10:54:19.279419 192.168.1.20.58431 > 1.1.1.1: S 4245224488:4245224488(0) win 5840
    9: 10:54:19.434395 192.168.1.20.58421 > 1.1.1.1: S 4219706084:4219706084(0) win 5840
   12: 10:54:19.743354 192.168.1.20.58415 > 1.1.1.1: S 4195822356:4195822356(0) win 5840
   19: 10:54:20.091380 192.168.1.20.58398 > 1.1.1.1: S 4152154284:4152154284(0) win 5840
   29: 10:54:20.675334 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840
   30: 10:54:20.696329 192.168.1.20.58430 > 1.1.1.1: S 4232107974:4232107974(0) win 5840
   41: 10:54:21.570206 192.168.1.20.58432 > 1.1.1.1: S 4243239398:4243239398(0) win 5840
   67: 10:54:22.115213 192.168.1.20.58399 > 1.1.1.1: S 4154738690:4154738690(0) win 5840
   68: 10:54:22.118234 192.168.1.20.58434 > 1.1.1.1: S 4245150624:4245150624(0) win 5840
   69: 10:54:22.130196 192.168.1.20.58422 > 1.1.1.1: S 4230741684:4230741684(0) win 5840
   70: 10:54:22.322218 192.168.1.20.58423 > 1.1.1.1: S 4222242146:4222242146(0) win 5840
   81: 10:54:22.859132 192.168.1.20.58424 > 1.1.1.1: S 4222473306:4222473306(0) win 5840
  100: 10:54:23.564179 192.168.1.20.58435 > 1.1.1.1: S 4255863279:4255863279(0) win 5840
  102: 10:54:23.675059 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840
  106: 10:54:23.815036 192.168.1.20.58416 > 1.1.1.1: S 4212967913:4212967913(0) win 5840
  126: 10:54:25.117974 192.168.1.20.58434 > 1.1.1.1: S 4245150624:4245150624(0) win 5840
  127: 10:54:25.145973 192.168.1.20.58428 > 1.1.1.1: S 4223944579:4223944579(0) win 5840
  128: 10:54:25.278977 192.168.1.20.58431 > 1.1.1.1: S 4245224488:4245224488(0) win 5840
  143: 10:54:26.563828 192.168.1.20.58435 > 1.1.1.1: S 4255863279:4255863279(0) win 5840
  144: 10:54:26.864853 192.168.1.20.58436 > 1.1.1.1: S 4252276886:4252276886(0) win 5840
  145: 10:54:26.998819 192.168.1.20.58417 > 1.1.1.1: S 4217570846:4217570846(0) win 5840
  154: 10:54:27.569748 192.168.1.20.58432 > 1.1.1.1: S 4243239398:4243239398(0) win 5840
  174: 10:54:28.849687 192.168.1.20.58429 > 1.1.1.1: S 4233349534:4233349534(0) win 5840
  181: 10:54:29.674601 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

My only worry is this system getting compromised or got compromise neither inside nor outside..

Regards,

Narendra

Paul Gilbert Arias Tue, 03/29/2011 - 07:49

you applied the captures on the inside, correct?

On those captures you can see that the source is 192.168.1.20 and destination 1.1.1.1. That shows what I was telling you. The inside host 192.168.1.20 is trying to send traffic to it's outside IP and the ASA doesn't allow that. The captures show SYN packets.

Check the inside host to find why it is trying to initiate traffic to it's outside IP

Actions

Login or Register to take actions

This Discussion

Posted March 28, 2011 at 4:07 AM
Stats:
Replies:3 Avg. Rating:5
Views:1183 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446