Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Land Attack on Cisco ASA

Hi,

 

I have cisco 5520 ASA running 8.4 version. We are getting below logs on our firewall continuously. This has started after upgrading it to 8.4 from 8.2

NLDCF2-Ext : %ASA-2-106017: Deny IP due to Land Attack from x.x.x.x to x.x.x.x

where x.x.x.x is the PAT IP address used by clients to go to internet through outside interface.

The CPU utilisation is also crossing 90 % (not sure if it is related to this)

 

When I run capture, I see source address as public addresses and destination address as x.x.x.x and these packets are egressing outside interface. So this seems to be packet spoofing attack as well.

 

Can anyone help to resolve this issue? Can it be related to high CPU utilisation?

2 REPLIES
Gold

CSCtr93086 ASA Failover:

CSCtr93086 ASA Failover: 106017 Deny IP due to Land Attack

its a bug please update the version patch

Known Affected Releases:
(2)
8.4(1.9)
8.2(4)
Cisco Employee

The security appliance

The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.

Recommended Action: If this message persists, an attack might be in progress. The packet does not provide enough information to determine where the attack originates.

%PIX|ASA-1-106021: Deny protocol reverse path check from 
source_address to dest_address on interface interface_name

Explanation

An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your security appliance.

This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface. If it is configured on the outside, then the security appliance checks packets arriving from the outside.

The security appliance looks up a route based on the source address. If an entry is not found and a route is not defined, then this system log message appears and the connection is dropped.

If there is a route, the security appliance checks which interface it corresponds. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The security appliance does not support asymmetric routing.

If the security appliance is configured on an internal interface, it checks static route command statements or RIP. If the source address is not found, then an internal user is spoofing their address.

1432
Views
0
Helpful
2
Replies