<<< Date Index >>>     <<< Thread Index >>>

RE: Windows Server 2003 and XP SP2 LAND attack vulnerability



Thats intersting.
I haven't tested my 2k3 box yet, but have tested against XP SP1
(Pentium 4 2.6G).
I didn't get the 100% load on the CPU that others have reported, but
did get symptoms.
I tried ports 135, 139 and 445.
When I tried ports 135 and 139 I saw the average CPU load on the
target machine average 50-60%.
When I tried port 445 I saw the average load become 60-70%.
Some tweaking of packet sizes and intervals gave me an average of
about 75% load with the occasional spike upto 90%.

The machine was still completely usable.

The machine wasn't running any app's so I figured this could be the
cause. I am still yet to try it with a load already running.

However, what you're seeing could possibly account for this, and am
now eager to try it on my 2k3 machine.

I used hping to send the packets, as below (The interval time didn't
make too much differance (a second was fine), and the data size
really didn't make much differance at all - infact it was pretty much
the same with a straight SYN packet):

hping2 192.168.1.5 -s 445 -d 445 -a 192.168.1.5 -i u55 -d 0x15

>
>---- Original Message ----
>From: Arian.Evans@xxxxxxxxxxxxxxxxxxx
>To: jono@xxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx,
>dejan@xxxxxxxxxx
>Subject: RE: Windows Server 2003 and XP SP2 LAND attack vulnerability
>Date: Tue, 8 Mar 2005 16:35:23 -0600
>
>>FWIW in addition to all the SP2 responses note: cannot replicate on
>2000 SP4 or XP SP1
>>using exact packets that work on SP2.
>>
>>-ae
>>
>>>----- Original Message ----- 
>>>From: "Jon O." <jono@xxxxxxxxxxxxxxxxxx>
>>>To: "Dejan Levaja" <dejan@xxxxxxxxxx>
>>>Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
>>>Sent: Monday, March 07, 2005 3:55 PM
>>>Subject: Re: Windows Server 2003 and XP SP2 LAND attack
>vulnerability
>>>
>>>
>>>> All:
>>>>
>>>> I would like to hear from someone who can reproduce this. If 
>>>you can, 
>>>> please send
>>>> details with OS, patches installed, pcaps, etc. not a report 
>>>of what tools 
>>>> you used
>>>> to create the packet, sniff and replay the results. I've 
>>>tested this and 
>>>> either my
>>>> machines are magically protected from this attack, or it is
>invalid 
>>>> (despite what
>>>> the press might say). I'd like some outside corroboration of 
>>>this attack.
>>>>
>>>>