Misconfigured Source NAT and LAND Attacks

Misconfigured Source NAT and LAND Attacks

46935
Created On 09/25/18 19:21 PM - Last Modified 05/31/23 21:36 PM


Resolution


Issue

In scenarios where an administrator configures destination translation on more than one destination without specifying a Source Zone, the source NAT may end up on the bottom, acting like a default NAT rule that performs source translation on traffic that did not match the above Destination NAT rules.

 

In such cases, source translation is done on traffic that is going to external/untrust/public. If this Source NAT has been configured so that the source zone is any and the destination zone is external/untrust/public, then the traffic that hits this rule includes traffic from untrust also being source translated.

 

Example of an open NAT Rule:

 

This has an adverse effect on the known or trusted traffic, because apart from the traffic that is reaching the internet, there are other trusted traffic connections that will hit this source NAT rule.

Following are some examples of traffic that would match this policy:

  • A ping to the external interface or the public ip of the firewall
  • IPsec VPN, Phase 1/IKE negotiations from the peer firewall

 

In both cases, the traffic will hit the source NAT rule causing a source translation to be applied to the traffic. The source will be translated to the public IP of the firewall, and now the firewall would see this traffic as having same source and destination IP. The firewall will immediately drop this traffic, considering it to be IP spoofing.

 

Since this is one of many anomalies that could be observed due to an open Source NAT rule following are the steps to troubleshoot and identify the issue.

 

Troubleshooting Steps

To confirm that the traffic is being dropped due to IP spoofing, run the following command to and check the counters specifically the drop counters.

A filter can be configured and applied it to the counters to filter relevant. To create a filter on the CLI refer to the following steps.

> debug dataplane packet-diag show setting

 

This command will show the current filter and logging options that are set. Please check that no filters have been set already.

--------------------------------------------------------------------------------

Packet diagnosis setting:

--------------------------------------------------------------------------------

Packet filter

  Enabled:                   no

  Match pre-parsed packet:   no

--------------------------------------------------------------------------------

Logging

  Enabled:                   no

  Log-throttle:              no

  Aggregate-to-single-file:  yes

  Output file size:          113775 of 10485760 Bytes

  Features:

  Counters:

--------------------------------------------------------------------------------

Packet capture

  Enabled:                   no

  Snaplen:                   0

--------------------------------------------------------------------------------

 

If a different output is seen, use the following command to clear the already existing filters.

> debug dataplane packet-diag clear all

 

After this command we can set the filter as follows for the ipsec scenario. (replace 1.1.1.1 with the peer's IP address and 2.2.2.2 with the local firewall's public IP address)

> debug dataplane packet-diag set filter match source 1.1.1.1 destination 2.2.2.2 destination-port 500 protocol 17  (for ping use protocol 1 for the ping scenario and do not mention any destination port)

> debug dataplane packet-diag show setting

 

The output should look like the following:

--------------------------------------------------------------------------------

Packet diagnosis setting:

--------------------------------------------------------------------------------

Packet filter

  Enabled:                   no

  Match pre-parsed packet:   no

  Index 1: 1.1.1.1[0]->2.2.2.2[500], proto 17

           ingress-interface any, egress-interface any, exclude non-IP

--------------------------------------------------------------------------------

Logging

  Enabled:                   no

  Log-throttle:              no

  Aggregate-to-single-file:  yes

  Output file size:          113775 of 10485760 Bytes

  Features:

  Counters:

--------------------------------------------------------------------------------

Packet capture

  Enabled:                   no

  Snaplen:                   0

--------------------------------------------------------------------------------

 

In the GUI, filters can be configured under > Monitor > Packet Capture > FIlters

Configure the source ip as the peer IP, destination IP as the public IP of the firewall, the protocol as 17 and destination port as 500.

 

After setting the filter and initiate the IPSec or the ping traffic and follow the below command and check for the drops due to LAND attack.

> show counter global filter packet-filter yes delta yes severity drop

 

If the following counter shows up in each time you run the above command then the firewall is dropping the traffic due to ip spoofing.

flow_policy_nat_land   drop      Session setup: source NAT IP allocation result in LAND attack

 

Resolution

Palo Alto Networks strongly recommends specifying zones when configuring source NAT rules as it reduces the risk of performing translation on packets that shouldn't be translated.

 

owner: dpalani
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW9CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language