Friday, January 4, 2013

Cisco ASA: "LAND" attack - track false positves

A LAND attack is characterized by an IP packet whose source and destination IP addresses are the same. HOwever, sometimes on the ASA platform, it is possible to see false postives.

Consider the following example:

Jan 05 2012 16:21:36: %ASA-2-106017: Deny IP due to Land Attack from to

Jan 05 2012 16:21:37: %ASA-2-106017: Deny IP due to Land Attack from to

What is really happening?

Upon closer examination, you notice that you have static tranlation setup:

static (inside, outside)

Now let's capture traffic b/w the private address and translated IP, and lo and behold, the mystery is solved! The server inside is trying to access "itself via its public IP address" (perhaps via a script that is running).

3 packets captured

1: 16:20:37.032469 > S 1304500266:1304500266(0) win 5840

2: 16:21:36.938168 > S 4035860468:4035860468(0) win 5840

3: 16:21:37.173559 > S 4123968769:4123968769(0) win 5840

3 packets shown   Notice how the time-stamps match!

1 comment:

  1. I had a Land attach notification on my ASA and it turned out to be a hack attempt, using our internet facing SIP proxy.