cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3897
Views
0
Helpful
3
Replies

Deny IP due to Land Attack

k.narendranath
Level 1
Level 1

Dear Team,

We are getting continuously log created as below in ASA 5510. I suspect something is going wrong (like system is getting compromised ? )

Note: I have changed the actually public IP to 1.1.1.1 for some security cause.

Log..

Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:22: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:20 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1
Mar 18 21:46:21 124.153.100.44 Mar 18 2011 21:46:24: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1

ASA 5510 config

#static (inside,outside) 1.1.1.1 192.168.1.20 netmask 255.255.255.255

#access-list 101 extended permit tcp any host 1.1.1.1 eq www
#access-list 101 extended permit tcp any host 1.1.1.1 eq https
#access-list 101 extended permit tcp any host 1.1.1.1 eq 3306
#access-list 101 extended permit tcp any host 1.1.1.1 range ftp-data ftp

#access-group 101 in interface outside

Please suggest.

Regards,

Narendra

1 Accepted Solution

Accepted Solutions

Usually thia log gets generated when traffic goes from inside and the destination is translated ip of that sam source ip. In this case the inside IP that you have on the static nat could be trying to send traffic to the destination IP 1.1.1.1.

It is hard to prove it but you could try setting captures or checking if that inside host if really trying to send traffic to 1.1.1.1.

I hpe this helps.

Sent from Cisco Technical Support iPhone App

View solution in original post

3 Replies 3

Usually thia log gets generated when traffic goes from inside and the destination is translated ip of that sam source ip. In this case the inside IP that you have on the static nat could be trying to send traffic to the destination IP 1.1.1.1.

It is hard to prove it but you could try setting captures or checking if that inside host if really trying to send traffic to 1.1.1.1.

I hpe this helps.

Sent from Cisco Technical Support iPhone App

Hi Paul Gilbert Arias,


Thx for your update, yes i tryied capturing this Deny IP land attack and found output as below.

CINBLR01-FLTR-FIREWALL-00001# sh capture test | in 1.1.1.1


    7: 10:54:19.279419 192.168.1.20.58431 > 1.1.1.1: S 4245224488:4245224488(0) win 5840
    9: 10:54:19.434395 192.168.1.20.58421 > 1.1.1.1: S 4219706084:4219706084(0) win 5840
   12: 10:54:19.743354 192.168.1.20.58415 > 1.1.1.1: S 4195822356:4195822356(0) win 5840
   19: 10:54:20.091380 192.168.1.20.58398 > 1.1.1.1: S 4152154284:4152154284(0) win 5840
   29: 10:54:20.675334 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840
   30: 10:54:20.696329 192.168.1.20.58430 > 1.1.1.1: S 4232107974:4232107974(0) win 5840
   41: 10:54:21.570206 192.168.1.20.58432 > 1.1.1.1: S 4243239398:4243239398(0) win 5840
   67: 10:54:22.115213 192.168.1.20.58399 > 1.1.1.1: S 4154738690:4154738690(0) win 5840
   68: 10:54:22.118234 192.168.1.20.58434 > 1.1.1.1: S 4245150624:4245150624(0) win 5840
   69: 10:54:22.130196 192.168.1.20.58422 > 1.1.1.1: S 4230741684:4230741684(0) win 5840
   70: 10:54:22.322218 192.168.1.20.58423 > 1.1.1.1: S 4222242146:4222242146(0) win 5840
   81: 10:54:22.859132 192.168.1.20.58424 > 1.1.1.1: S 4222473306:4222473306(0) win 5840
  100: 10:54:23.564179 192.168.1.20.58435 > 1.1.1.1: S 4255863279:4255863279(0) win 5840
  102: 10:54:23.675059 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840
  106: 10:54:23.815036 192.168.1.20.58416 > 1.1.1.1: S 4212967913:4212967913(0) win 5840
  126: 10:54:25.117974 192.168.1.20.58434 > 1.1.1.1: S 4245150624:4245150624(0) win 5840
  127: 10:54:25.145973 192.168.1.20.58428 > 1.1.1.1: S 4223944579:4223944579(0) win 5840
  128: 10:54:25.278977 192.168.1.20.58431 > 1.1.1.1: S 4245224488:4245224488(0) win 5840
  143: 10:54:26.563828 192.168.1.20.58435 > 1.1.1.1: S 4255863279:4255863279(0) win 5840
  144: 10:54:26.864853 192.168.1.20.58436 > 1.1.1.1: S 4252276886:4252276886(0) win 5840
  145: 10:54:26.998819 192.168.1.20.58417 > 1.1.1.1: S 4217570846:4217570846(0) win 5840
  154: 10:54:27.569748 192.168.1.20.58432 > 1.1.1.1: S 4243239398:4243239398(0) win 5840
  174: 10:54:28.849687 192.168.1.20.58429 > 1.1.1.1: S 4233349534:4233349534(0) win 5840
  181: 10:54:29.674601 192.168.1.20.58433 > 1.1.1.1: S 4255148120:4255148120(0) win 5840

My only worry is this system getting compromised or got compromise neither inside nor outside..

Regards,

Narendra

you applied the captures on the inside, correct?

On those captures you can see that the source is 192.168.1.20 and destination 1.1.1.1. That shows what I was telling you. The inside host 192.168.1.20 is trying to send traffic to it's outside IP and the ASA doesn't allow that. The captures show SYN packets.

Check the inside host to find why it is trying to initiate traffic to it's outside IP

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: