Super-Networking Blog

I have been seeing some “Critical Syslog Events” coming through lately from my Cisco FWSM (Firewall Switch Module). The event number is FWSM-2-106017 or if you have a PIX it would be PIX-2-106017.

When you go to Cisco’s site for the explanation this is what they give you:

Error Message    %FWSM-2-106017: Deny IP due to Land Attack from IP_addr to IP_addr

Explanation    This message indicates that the module received a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet that is designed to attack systems. This attack is referred to as a land attack. If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.

Recommended Action    None.

This is fine and dandy but doesn’t help me track down what the problem is. I don’t believe this is truly a lan attack since it only seems to happen when the Sysadmins are working on this box. The IP it is coming from is a web server and this web server has an internal IP and a natted external IP. When changes are made you want to test the website. So you go the website on the server it resolves to the natted IP which goes out through the firewall hits the router then is converted back to the internal IP and sent back through the firewall. This is where the Land attack comes in because the traffic is coming from  the same IP it is going to and on different interfaces on the firewall.

I haven’t seen a fix for this, you could probably disable this rule in the firewall or just make sure you got to the internal IP instead of the natted IP when testing from the web server itself.