Within our 6500 we're seeing the following error messages being recorded by the FWSM syslog:
%FWSM-2-106017: Deny IP due to Land Attack from 188.8.131.52 to 2.3.4.x
I understand through my research that typically the land attacks have the same source and destination IP and ports, but these do not. We receive the message 2-6 times a minute and the destination IP *always* varies (source always remains the same) across lan segments, not just individual IPs within the 2.3.4.x segment.
Ideally I'd like to get the MAC address for the source, but nothing seems to be found in ARP tables and such. I've also attempted to run a capture on the raw-data and asp-drop to no avail. It doesn't record the packets for further review.
What else can I do to track down where this is coming from? I know the FWSM is doing its job by denying it, but I need to know if its coming from our private network and who the troublesome host is in general.
Thank you kindly for any assistance you can provide. I'm fresh out of ideas...
Explanation for the error message - The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action - If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
Also PIX dropping the packets that are suspected to form an attack, so the PIX is protecting your network from the attack but it won't stop the source of this traffic from generating these packets.
Check the IP address of the ouside vlan interface.
I am seeing the same log entry on my PIX firewall. But the traffic is coming from inside my network. The log follows:
%PIX-2-106017: Deny IP due to Land Attack from 184.108.40.206 to 220.127.116.11
I want to debug the ip flow to it's ingress point into the network. But I'm not having much luck as show ip cef commands don't seem to provide any useful data. I remember CAT-OS having some flow debugging capability via the show ip mls flow commands. Does the 6500 or 7600 running fairly recent IOS have the capability of debugging the flows from ingress to egress interface?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...