Palo Alto Networks Knowledgebase: LAND Attacks When Configured Source and Destination NAT for Same Public IP Address

LAND Attacks When Configured Source and Destination NAT for Same Public IP Address

6126
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
Threat Intelligence Threat Prevention
Resolution

Overview

LAND attacks can occur when an administrator configures destination translation for a DMZ zone server and source translation for Trust zone users with same public IP address. When traffic from internal LAN to the firewall public IP address source translation will be applied and dropped by the Palo Alto Networks firewall, which is considered to be a LAND attack.

Details

Shown below is the scenario where traffic can be dropped due to a LAND attack.

dai.JPG

Traffic initiated from the "Trust_L3" zone to the internet will use source translation. The traffic initiated from the public network (Untrust_L3) to the web server (200.1.1.1) will use destination translation.

Here is the NAT configuration for the above scenario.

nat2.JPG

Traffic from an internal zone (Trust_L3) to the firewall public IP address (200.1.1.1) will hit the source NAT rule, which will cause a source translation to be applied to the traffic. The source will be translated to the public IP of the firewall and the firewall will immediately drop this traffic because it will be considered a LAND attack. The firewall would see this traffic as the same source and destination IP address.

Resolution

To confirm that traffic is being dropped due to a LAND attack, run the following command. This command verifies counters, specifically the drop counters.

A filter can be configured with a specific source and destination IP address and applied to global counters to get the specific outputs, as shown below.

pc.JPG

After setting the filters and initiating the "Ping" traffic to the firewall public IP from internal LAN, follow the below command to check for the drops due to LAND attack.

> show counter global filter packet-filter yes delta yes severity drop

Global counters:

Elapsed time since last sampling: 17.60  seconds

name                     value     rate severity  category  aspect    description

---------------------------------------------------------------------------------

flow_policy_nat_land      3         0   drop      flow      session   Session setup: source NAT IP allocation result in LAND attack

---------------------------------------------------------------------------------

Total counters shown: 1

---------------------------------------------------------------------------------

Resolution

Create a "No NAT" rule for traffic from internal LAN (Trust_L3) to the firewall IP address (200.1.1.1), as shown below.

No NAt.JPG

Traffic from the internal LAN Trust_L3 to the firewall IP address (200.1.1.1) will hit the "No NAT" rule and not be subject to NAT translation.

owner: sbabu



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt0CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language