cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
2
Replies

ASA Land Attack - how does the system respond?

jimtaylorcisco
Level 1
Level 1

Hope you can help

I have a ASA 5520 and was testing vpn configuration using the packet tracer in asdm. Due to a typo I simiuated a land attack (ie same source and destination address). The ASA then blocked connections to some ip addresses (other services were fine) but nothing appeared in the logs at warning level after the Land Attack error.

My main question is what is the ASA's default response to this? Will the system reset the block and after how long? Anti spoofing and basic security are enabled.

I fixed the fault with a reload but there must be a neater way to do this.

2 Replies 2

Hi Jim,

To the best of my knowledge, the default behavior of the ASA is that message ASA-2-106017 will be logged and the offending packet will be dropped. However, the ASA does not automatically shun the IP address to block any further traffic.

If you are using the threat detection feature in ASA 8.0, you can create a configuration such that a detected attacker IP address will be automatically shunned. If this feature is enabled, the attacker is shunned for 1 hour, though this value is also optionally configured.

Here is the configuration guide for threat detection:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058270

Maybe someone else can chime in that has seen this happen before?

-Mike

Hi Mike

Thanks for that, I have been through most of this documentation but unfortunately doing a reload to get the full functionality back meant that I have been unable to trace the details of what happened or duplicate this issue. Thanks for you help though, if it do get a resolution I will post something here

cheers, Jim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: