<<< Date Index >>>     <<< Thread Index >>>

RE: Windows Server 2003 and XP SP2 LAND attack vulnerability



FWIW in addition to all the SP2 responses note: cannot replicate on 2000 SP4 or 
XP SP1
using exact packets that work on SP2.

-ae

>----- Original Message ----- 
>From: "Jon O." <jono@xxxxxxxxxxxxxxxxxx>
>To: "Dejan Levaja" <dejan@xxxxxxxxxx>
>Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
>Sent: Monday, March 07, 2005 3:55 PM
>Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
>
>
>> All:
>>
>> I would like to hear from someone who can reproduce this. If 
>you can, 
>> please send
>> details with OS, patches installed, pcaps, etc. not a report 
>of what tools 
>> you used
>> to create the packet, sniff and replay the results. I've 
>tested this and 
>> either my
>> machines are magically protected from this attack, or it is invalid 
>> (despite what
>> the press might say). I'd like some outside corroboration of 
>this attack.
>>
>>
>> On 05-Mar-2005, Dejan Levaja wrote:
>>>
>>>
>>> Hello, everyone.
>>>
>>> Windows Server 2003 and XP SP2 (with Windows Firewall 
>turned off)  are 
>>> vulnerable to LAND attack.
>>>
>>> LAND attack:
>>>  Sending TCP packet with SYN flag set, source and 
>destination IP address 
>>> and source and destination port as of destination machine, 
>results in 
>>> 15-30 seconds DoS condition.
>>>
>>>
>>> Tools used:
>>>  IP Sorcery for creating malicious packet, Ethereal for 
>sniffing it and 
>>> tcpreplay for replaying.
>>>
>>> Results:
>>>  Sending single LAND packet to file server causes Windows explorer 
>>> freezing on all workstations currently connected to the 
>server. CPU on 
>>> server goes 100%. Network monitor on the victim server 
>sometimes can not 
>>> even sniff malicious packet. Using tcpreplay to script this attack 
>>> results in total collapse of the network.
>>>
>>> Vulnerable operating systems:
>>> Windows 2003
>>> XP SP2
>>> other OS not tested (I have other things to do currently ? 
>like checking 
>>> firewalls on my networks ;) )
>>>
>>> Solution:
>>>  Use Windows Firewall on workstations, use some firewall capable of 
>>> detecting LAND attacks in front of your servers.
>>>
>>> Ethic:
>>>  Microsoft was informed 7 days ago (25.02.2005, GMT +1, 
>local time), NO 
>>> answer received, so I decided to share this info with 
>security community.
>>>
>>>
>>> Dejan Levaja
>>> System Engineer
>>> Bulevar JNA 251
>>> 11000 Belgrade
>>> Serbia and Montenegro
>>> cell: +381.64.36.00.468
>>> email: dejan@xxxxxxxxxx
>>>
>> 
>
>
>