RE: Windows Server 2003 and XP SP2 LAND attack vulnerability
FWIW in addition to all the SP2 responses note: cannot replicate on 2000 SP4 or
XP SP1
using exact packets that work on SP2.
-ae
>----- Original Message -----
>From: "Jon O." <jono@xxxxxxxxxxxxxxxxxx>
>To: "Dejan Levaja" <dejan@xxxxxxxxxx>
>Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
>Sent: Monday, March 07, 2005 3:55 PM
>Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
>
>
>> All:
>>
>> I would like to hear from someone who can reproduce this. If
>you can,
>> please send
>> details with OS, patches installed, pcaps, etc. not a report
>of what tools
>> you used
>> to create the packet, sniff and replay the results. I've
>tested this and
>> either my
>> machines are magically protected from this attack, or it is invalid
>> (despite what
>> the press might say). I'd like some outside corroboration of
>this attack.
>>
>>
>> On 05-Mar-2005, Dejan Levaja wrote:
>>>
>>>
>>> Hello, everyone.
>>>
>>> Windows Server 2003 and XP SP2 (with Windows Firewall
>turned off) are
>>> vulnerable to LAND attack.
>>>
>>> LAND attack:
>>> Sending TCP packet with SYN flag set, source and
>destination IP address
>>> and source and destination port as of destination machine,
>results in
>>> 15-30 seconds DoS condition.
>>>
>>>
>>> Tools used:
>>> IP Sorcery for creating malicious packet, Ethereal for
>sniffing it and
>>> tcpreplay for replaying.
>>>
>>> Results:
>>> Sending single LAND packet to file server causes Windows explorer
>>> freezing on all workstations currently connected to the
>server. CPU on
>>> server goes 100%. Network monitor on the victim server
>sometimes can not
>>> even sniff malicious packet. Using tcpreplay to script this attack
>>> results in total collapse of the network.
>>>
>>> Vulnerable operating systems:
>>> Windows 2003
>>> XP SP2
>>> other OS not tested (I have other things to do currently ?
>like checking
>>> firewalls on my networks ;) )
>>>
>>> Solution:
>>> Use Windows Firewall on workstations, use some firewall capable of
>>> detecting LAND attacks in front of your servers.
>>>
>>> Ethic:
>>> Microsoft was informed 7 days ago (25.02.2005, GMT +1,
>local time), NO
>>> answer received, so I decided to share this info with
>security community.
>>>
>>>
>>> Dejan Levaja
>>> System Engineer
>>> Bulevar JNA 251
>>> 11000 Belgrade
>>> Serbia and Montenegro
>>> cell: +381.64.36.00.468
>>> email: dejan@xxxxxxxxxx
>>>
>>
>
>
>