Problem: There are so many Syslog messages " %ASA-2-106017: Deny IP due to Land Attack from x.x.x.x to x.x.x.x" Same IP global Nat or Interface IP
Where "land-attack" is the object group for public IP displayed in syslog message ie Glaobal Natted IP or interface IP
What is Land attack: A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port.
Explanation: The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
What this message practically means is that the ASA/FWSM saw a packet that was sourced and destined to the same ip address and ports. Such a packet cannot logically exist because you cannot have a host send a packet through the network to itself. What the attack was trying to achieve is to have a computer respond to itself and thus have an infinite loop and cause a DoS to it. Most contemporary systems are not vulnerable to such an attack and its variations, but a network level firewall as the ASA / PIX / FWSM should be able to catch them and drop them.
The checks against Land Attacks happen on the ASA/FWSM before many other advanced checks (ACL check, NAT, inspections). There is nothing that can be be done to stop the ASA from dropping these packets as these checks happen as part of the early "network checks" on the packets (not configurable).
If someone sees many of these messages it is probably because of some misconfiguration and we would recommend investigating further. Even if these logs do not relate to any issues, we believe that it should be investigated and corrected in order to find out if it is due to malicious activity or involuntary user-inflicted errors.
Recommended Action:
If this message persists, an attack may be in progress. The packet
does not provide enough information to determine where the attack originates.
does not provide enough information to determine where the attack originates.
ü You need to find out the packet flow
ü In order to fetch the packet flow, please capture the pcap in all the interfaces (it will give lot of information including mac address)
ü If you have a firewall deployed between the source and destinations, they its already blocked. However it will display in the logs as blocked often.
ü If you see the Public IP, it may get statically NATed somewhere. So please try removing the static entry and observe the logs (this is workaround)
ü You can execute the shun command in the firewall (if cisco) to tell the device to discard the packet from processing.
The actual syslog looks like,
%ASA-session-2-106017: Deny IP due to Land Attack from <ip address> to <ip address>
Resolution and Story:
I have Cisco ASA with IOS 9.1, I got so many land attack syslog messages, on troubleshooting I found nothing in Pcap file captured on ASA interfaces. Only I could see syslog message forwarded to syslog server after event. Further I found that there are packet dropped due to "Drop-reason: (nat-xlate-failed) NAT failed".
Actually, this type of drops was logged by ASA as an Land Attack, Configuring nat-exampt, taking source as internal IP subnet and destination as Global Natted IP resolved the issue. This configuration tells the ASA not to translate the packet if it is source from internal network and having destination as ASA interface IP/Global natted IP, The example is pinging ASA interface IP from inside network host.
Configuration:
nat (inside,any) source static internal-subnet internal-subnet destination static land-attack land-attack no-proxy-arp route-lookup
!
object network land-attack
host x.x.x.x
object network land-attack
host x.x.x.x
