10-02-2015 08:21 AM - edited 03-11-2019 11:41 PM
On one of my 8 ASA Firewalls I get the Following about 800 times a day.
%ASA-2-106017: Deny IP due to Land Attack from <ASA's Outside Interface Static IP> to < ASA's Outside Interface Static IP>
It happens pretty much several times every hour pretty much 24 hours a day.
This Remote office is Connected via a Single Static IP Address, that Address is used to NAT Traffic to the Internet.
Remote office has 10 IP Phones and an Active Directory Domain Controller, and maybe 1-3 people in the office from 9-4. So Minimally staffed.
Remote Office is Connected to VPN to HQ Office with Bi-directional initiation.
The HQ ASA also has a couple of these logs, though they are spotty and only while people are in the office. HW has 40 full time people working and they are using the system pretty hard. the other 7 Remote sits don't really log this event.
The Site I'm having issues with is also having VPN connectivity issues and I want to clear this LAN attack issue up to eliminate it as a potential issue.
I see references to this, though most are for an Internal IP, not the ASA's Outside Interface IP
Any Suggestions on this?
Thanks!
10-02-2015 11:14 AM
Hi,
If ASA is classifying traffic as land attack and dropping it then ASA is seeing traffic with same source and destination IP address.
Now I can think of two possibilities:
1: you have a malicious host which is continuously sending malformed packets with same source IP and destination IP. You can capture traffic and check what is the source IP and can fix it.
2: There might be some legitimate traffic from a host which has destination IP as your public IP. In case you have some nat configured for outgoing traffic then ASA would translate the source IP to public IP which would then be present in destination IP field of IP header as well.
But first try find the source of the traffic. As you have mentioned that you have a very small setup the you can apply asp drop captures and check the source IP of the traffic.
Capture command:
Cap asp type asp-drop all
Show cap asp
Remove capture : no cap asp.
Do share your findings.
Hope it helps
Thanks
R Seth
10-02-2015 11:41 AM
R Seth, thank you for your reply.
Is there a way too send the Captured Packets to Syslog? That way I can sift through the Syslog entries for the time in which i get the LAN Attack Syslog entry and I can start the capture and not worry about filling up a buffer?
Thanks!
10-02-2015 12:09 PM
Hi,
The captures cannot be sent out to syslog server.
I think you should apply captures on the inside interface. Filter traffic from any host and specify destination as ASA's outside interface IP.
This way you would see what is the source IP of the machine which is sending traffic for ASA's publicIP
Command:
Cap capi interface <ingress interface name> match IP any host <ASA outside interface IP>
Toview
Show cap capi
To remove
No cap capi
Once you see the capture investigate about the application using source/destination port number.
Hope it helps!!!
Thanks
RSeth
10-02-2015 12:19 PM
So they are UDP port 500 on both ends.
Which is VPN initiation traffic. Though not sure if its getting Spoofed or self inflicted.
I have the pcap too.
MAC Address of Outside interface is: 78ba.f988.b816
LAN Address of the Edge Router is: 30:E4:DB:DC:FB:10
Edge Router IP is not the same IP as the ASA's Outside IP.
the packets look like
12:09:36.857789 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214 (Outside IP).500 > (Outside IP).500: [udp sum ok] udp 172 (ttl 254, id 8761)
3: 12:09:36.857789 (outside IP).500 > (Outside IP).500: udp 172 ISAKMP Header Initiator COOKIE: 8a fd 76 64 c3 c6 9d ee Responder COOKIE: dc db 7b 32 c0 e0 db af Next Payload: Hash Version: 1.0 Exchange Type: Quick Mode Flags: (Encryption) MessageID: 0BA31E91 Length: 172
10-02-2015 12:28 PM
Is this UDP traffic pass-through traffic for ASA or initiated from ASA.
In case it is pass-through then you might be having some NAT statement that is NATTing all your traffic to outside Ip
for understanding purpose can you describe the packet wrt ASA.
RSeth
10-02-2015 12:39 PM
I'm not sure what you are asking, though here is what I know.
Of the Packets Captured they are Originating all rom the LAN MAC address of the Edge Router's Inside Interface to the outside MAC Address of the ASA.
Internet -> Edge WAN--Edge LAN -> Outside ASA
The VPN Connection between HQ Office and Remote Office (the side with the LAN Attacks) is Bi-Directional and can be initiated from either end.
HQ is 10.1.x.x and remote is 10.4.x.x
No NATing of traffic over VPN. NETWORK_LOCAL contains the 2 Local Subnets and REMOTE_NETWORK contains the HQ Subnets.
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE description No not NAT traffic to/from Remote Networks n
VPN ACLs look like the Following, there is a ACL for both the Tunnel Traffic and the Initiation Traffic and both are symmetrical (in terms of Subnets and ACLs) on the HQ ASA.
access-list jack_cryptomap_1 extended permit ip object NETWORK-IRVINE object-group NETWORK_REMOTE access-list jack_cryptomap_1 extended permit ip object NETWORK-IRVINE-TRAINING object-group NETWORK_REMOTE
Traffic to the Internet is PATed via the Outside Interface's IP.
object network obj_any nat (any,outside) dynamic interface
10-02-2015 12:59 PM
Hi,
Instead of having internet bound NAT as any to outside, can you specify actual ingress and egress interface names.
Also, the name of interface towards the router is outside or inside ?
R.Seth
10-02-2015 02:00 PM
The Traffic looks like this:
ISP <-> WAN1 -RV082- LAN <-> Outside -ASA556- Inside <-> Office Subnet
So you are saying too change the NAT to this?
object network obj_any nat (inside,outside) dynamic interface
Thank you,
10-04-2015 12:40 AM
Hi,
Yes, change the nat to specific interfaces.
Also check why the traffic which has destination IP as ASA's outside interface IP is passing through the ASA.
Is there any mis-configuration on any downstream device which is making it to send UDP/500 traffic for ASA's Public IP?
As the Public IP of ASA is used in dynamic NAT, the UDP/500 will get source translated and hence will result in traffic with source and destination both as ASA's outside interface IP.
Share your findings.
Thanks,
R.Seth
10-05-2015 06:31 AM
I changed the NAT to
object network obj_any nat (inside,outside) dynamic interface
That didn't seem to change much. The Connection is still dropping every 6-7 hours.
The only thing I could think of is that one of the Sales people's PCs is trying to use AnyConnect even though they are already behind the firewall? Thats the only thing that I can see what would be generating the Port 500 Traffic. Though the End Point they all have configured for AnyConnect is the HQ ASA, not the Remote ASA. So I'm not sure why it would have a Source/Destination of the Outside interface.
Given that the Sending MAC address is the Gateway Address, its coming from the outside, or at least the Public IP Subnet. There is only another Little LinkSys Router that has some devices that I know do not support VPN.
10-02-2015 11:59 AM
So here are some Capture Packets and the Log events for the LAN Attacks. I'm not sure how to read the Captured Packets
10/2/2015 11:53:54 AM %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP) 10/2/2015 11:53:46 AM %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP) 10/2/2015 11:53:46 AM %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP) 10/2/2015 11:53:38 AM %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP) 10/2/2015 11:53:38 AM %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP) 10/2/2015 11:53:30 AM %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP) 10/2/2015 11:53:22 AM %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP)
66: 11:52:11.975337 58bc.27f3.5425 0180.c200.000e 0x88cc Length: 77 0207 0458 bc27 f354 2404 0405 6769 3106 0200 780a 1a69 7276 696e 652d 6761 7465 7761 792d 766c 616e 2d73 7769 7463 680e 0400 1400 14fe 0600 80c2 0100 6800 00 Drop-reason: (l2_acl) FP L2 rule drop 67: 11:52:12.875214 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 68: 11:52:14.875198 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 69: 11:52:16.875168 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 70: 11:52:18.875137 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 71: 11:52:19.283371 30e4.dbdc.fb10 ffff.ffff.ffff 0x0800 Length: 66 209.234.149.209.520 > 209.234.149.215.520: [udp sum ok] udp 24 (DF) (ttl 64, id 0) Drop-reason: (sp-security-failed) Slowpath security checks failed 72: 11:52:20.875137 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet 73: 11:52:22.875092 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 74: 11:52:24.875092 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 75: 11:52:26.875031 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet 76: 11:52:28.875000 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 77: 11:52:30.874985 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet 78: 11:52:32.874970 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 79: 11:52:34.874954 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 80: 11:52:36.874924 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 81: 11:52:38.874893 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 82: 11:52:40.874863 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 83: 11:52:41.974970 58bc.27f3.5425 0180.c200.000e 0x88cc Length: 77 0207 0458 bc27 f354 2404 0405 6769 3106 0200 780a 1a69 7276 696e 652d 6761 7465 7761 792d 766c 616e 2d73 7769 7463 680e 0400 1400 14fe 0600 80c2 0100 6800 00 Drop-reason: (l2_acl) FP L2 rule drop 84: 11:52:42.874817 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 85: 11:52:44.874817 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 86: 11:52:45.995004 58bc.27f3.5425 0100.0ccc.cccc 0x00b1 Length: 191 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 87: 11:52:46.874771 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 88: 11:52:48.874756 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 89: 11:52:49.284760 30e4.dbdc.fb10 ffff.ffff.ffff 0x0800 Length: 66 209.234.149.209.520 > 209.234.149.215.520: [udp sum ok] udp 24 (DF) (ttl 64, id 0) Drop-reason: (sp-security-failed) Slowpath security checks failed 90: 11:52:50.874710 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 91: 11:52:52.874710 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 92: 11:52:54.874649 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 93: 11:52:56.874603 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 94: 11:52:58.874634 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 95: 11:53:00.874603 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 96: 11:53:02.874527 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 97: 11:53:04.874512 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 98: 11:53:06.830691 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214 209.234.149.210.500 > 209.234.149.210.500: [udp sum ok] udp 172 (ttl 254, id 8382) Drop-reason: (sp-security-failed) Slowpath security checks failed 99: 11:53:06.874512 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 100: 11:53:08.874481 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 101: 11:53:10.874420 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 102: 11:53:11.974528 58bc.27f3.5425 0180.c200.000e 0x88cc Length: 77 0207 0458 bc27 f354 2404 0405 6769 3106 0200 780a 1a69 7276 696e 652d 6761 7465 7761 792d 766c 616e 2d73 7769 7463 680e 0400 1400 14fe 0600 80c2 0100 6800 00 Drop-reason: (l2_acl) FP L2 rule drop 103: 11:53:12.874420 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 104: 11:53:14.820315 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214 209.234.149.210.500 > 209.234.149.210.500: [udp sum ok] udp 172 (ttl 254, id 22594) Drop-reason: (sp-security-failed) Slowpath security checks failed 105: 11:53:14.874359 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 106: 11:53:16.874344 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet 107: 11:53:18.874298 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 108: 11:53:19.286056 30e4.dbdc.fb10 ffff.ffff.ffff 0x0800 Length: 66 209.234.149.209.520 > 209.234.149.215.520: [udp sum ok] udp 24 (DF) (ttl 64, id 0) Drop-reason: (sp-security-failed) Slowpath security checks failed 109: 11:53:20.874283 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 110: 11:53:22.816898 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214 209.234.149.210.500 > 209.234.149.210.500: [udp sum ok] udp 172 (ttl 254, id 1054) Drop-reason: (sp-security-failed) Slowpath security checks failed 111: 11:53:22.820422 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214 209.234.149.210.500 > 209.234.149.210.500: [udp sum ok] udp 172 (ttl 254, id 22942) Drop-reason: (sp-security-failed) Slowpath security checks failed 112: 11:53:22.874252 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 113: 11:53:24.874222 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 114: 11:53:26.874176 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 115: 11:53:28.874146 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 116: 11:53:30.817264 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 110 209.234.149.210.500 > 209.234.149.210.500: [udp sum ok] udp 68 (ttl 254, id 5286) Drop-reason: (sp-security-failed) Slowpath security checks failed 117: 11:53:30.821948 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214 209.234.149.210.500 > 209.234.149.210.500: [udp sum ok] udp 172 (ttl 254, id 15889) Drop-reason: (sp-security-failed) Slowpath security checks failed 118: 11:53:30.874115 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 119: 11:53:32.874100 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 120: 11:53:34.874085 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 121: 11:53:36.874039 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 122: 11:53:36.929227 0015.5d03.2100 ffff.ffff.ffff 0x0800 Length: 92 10.4.0.5.137 > 10.4.255.255.137: [udp sum ok] udp 50 (ttl 128, id 10419) 123: 11:53:37.673655 0015.5d03.2100 ffff.ffff.ffff 0x0800 Length: 92 10.4.0.5.137 > 10.4.255.255.137: [udp sum ok] udp 50 (ttl 128, id 10422) Drop-reason: (sp-security-failed) Slowpath security checks failed 124: 11:53:38.439064 0015.5d03.2100 ffff.ffff.ffff 0x0800 Length: 92 10.4.0.5.137 > 10.4.255.255.137: [udp sum ok] udp 50 (ttl 128, id 10424) Drop-reason: (sp-security-failed) Slowpath security checks failed 125: 11:53:38.816058 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214 209.234.149.210.500 > 209.234.149.210.500: [udp sum ok] udp 172 (ttl 254, id 1918) Drop-reason: (sp-security-failed) Slowpath security checks failed 126: 11:53:38.874008 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 127: 11:53:40.873978 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 128: 11:53:41.974101 58bc.27f3.5425 0180.c200.000e 0x88cc Length: 77 0207 0458 bc27 f354 2404 0405 6769 3106 0200 780a 1a69 7276 696e 652d 6761 7465 7761 792d 766c 616e 2d73 7769 7463 680e 0400 1400 14fe 0600 80c2 0100 6800 00 Drop-reason: (l2_acl) FP L2 rule drop 129: 11:53:42.873932 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet 130: 11:53:44.873901 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 131: 11:53:45.994104 58bc.27f3.5425 0100.0ccc.cccc 0x00b1 Length: 191 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 132: 11:53:46.873871 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 133: 11:53:48.873871 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop 134: 11:53:49.287277 30e4.dbdc.fb10 ffff.ffff.ffff 0x0800 Length: 66 209.234.149.209.520 > 209.234.149.215.520: [udp sum ok] udp 24 (DF) (ttl 64, id 0) 135: 11:53:50.873825 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
10-02-2015 12:21 PM
I don't see any packets for land attack in the asp drop. Probably there is no such traffic as of now.
I think you should apply capture for inside interface as I have mentioned and leave it for some time.
Check the captures when you see syslog msgs for land attack.
Note : use captures as mentioned below for inside interface.
Thanks
R.Seth
10-02-2015 12:27 PM
I did of the other Capture, see below. Thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: