LAND Attacks When Configured Source and Destination NAT for Same Public IP Address
Resolution
Overview
LAND attacks can occur when an administrator configures destination translation for a DMZ zone server and source translation for Trust zone users with same public IP address. When traffic from internal LAN to the firewall public IP address source translation will be applied and dropped by the Palo Alto Networks firewall, which is considered to be a LAND attack.
Details
Shown below is the scenario where traffic can be dropped due to a LAND attack.
Traffic initiated from the "Trust_L3" zone to the internet will use source translation. The traffic initiated from the public network (Untrust_L3) to the web server (200.1.1.1) will use destination translation.
Here is the NAT configuration for the above scenario.
Traffic from an internal zone (Trust_L3) to the firewall public IP address (200.1.1.1) will hit the source NAT rule, which will cause a source translation to be applied to the traffic. The source will be translated to the public IP of the firewall and the firewall will immediately drop this traffic because it will be considered a LAND attack. The firewall would see this traffic as the same source and destination IP address.
Resolution
To confirm that traffic is being dropped due to a LAND attack, run the following command. This command verifies counters, specifically the drop counters.
A filter can be configured with a specific source and destination IP address and applied to global counters to get the specific outputs, as shown below.
After setting the filters and initiating the "Ping" traffic to the firewall public IP from internal LAN, follow the below command to check for the drops due to LAND attack.
> show counter global filter packet-filter yes delta yes severity drop
Global counters:
Elapsed time since last sampling: 17.60 seconds
name value rate severity category aspect description
---------------------------------------------------------------------------------
flow_policy_nat_land 3 0 drop flow session Session setup: source NAT IP allocation result in LAND attack
---------------------------------------------------------------------------------
Total counters shown: 1
---------------------------------------------------------------------------------
Resolution
Create a "No NAT" rule for traffic from internal LAN (Trust_L3) to the firewall IP address (200.1.1.1), as shown below.
Traffic from the internal LAN Trust_L3 to the firewall IP address (200.1.1.1) will hit the "No NAT" rule and not be subject to NAT translation.
owner: sbabu