Bugtraq mailing list archives
Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
From: Espen "Grndahl" <espen.groendahl () siemens com>
Date: 8 Mar 2005 07:29:41 -0000
In-Reply-To: <20050307215532.GA24251 () logos microshaft org> Hello I've been able to reproduce this. I used ipmagic on debian 3.0 and sendt a packet to a fully patched Windows 2003 server running on Vmware ESX server. I got a 1-5 sec. 100% load on the CPU on the target server. 1 packet/pr. sec. was enough to keep the CPU on 100% load. Espen Grøndahl
Received: (qmail 25355 invoked from network); 8 Mar 2005 04:31:31 -0000 Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27) by mail.securityfocus.com with SMTP; 8 Mar 2005 04:31:31 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 663A42373B4; Mon, 7 Mar 2005 15:12:20 -0700 (MST) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 30519 invoked from network); 7 Mar 2005 14:39:33 -0000 Date: Mon, 7 Mar 2005 13:55:32 -0800 From: "Jon O." <jono () networkcommand com> To: Dejan Levaja <dejan () levaja com> Cc: bugtraq () securityfocus com Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Message-ID: <20050307215532.GA24251 () logos microshaft org> References: <20050305181714.22945.qmail () www securityfocus com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050305181714.22945.qmail () www securityfocus com> User-Agent: Mutt/1.4.1i X-No-Archive: yes X-Scanned-By: logoscan All: I would like to hear from someone who can reproduce this. If you can, please send details with OS, patches installed, pcaps, etc. not a report of what tools you used to create the packet, sniff and replay the results. I've tested this and either my machines are magically protected from this attack, or it is invalid (despite what the press might say). I'd like some outside corroboration of this attack. On 05-Mar-2005, Dejan Levaja wrote:Hello, everyone. Windows Server 2003 and XP SP2 (with Windows Firewall turned off) are vulnerable to LAND attack. LAND attack: Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition. Tools used: IP Sorcery for creating malicious packet, Ethereal for sniffing it and tcpreplay for replaying. Results: Sending single LAND packet to file server causes Windows explorer freezing on all workstations currently connected to the server. CPU on server goes 100%. Network monitor on the victim server sometimes can not even sniff malicious packet. Using tcpreplay to script this attack results in total collapse of the network. Vulnerable operating systems: Windows 2003 XP SP2 other OS not tested (I have other things to do currently ? like checking firewalls on my networks ;) ) Solution: Use Windows Firewall on workstations, use some firewall capable of detecting LAND attacks in front of your servers. Ethic: Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community. Dejan Levaja System Engineer Bulevar JNA 251 11000 Belgrade Serbia and Montenegro cell: +381.64.36.00.468 email: dejan () levaja com
Current thread:
- Windows Server 2003 and XP SP2 LAND attack vulnerability Dejan Levaja (Mar 05)
- <Possible follow-ups>
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability paul14075 (Mar 08)
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Grndahl (Mar 08)
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability caldcv (Mar 08)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Detection Services - IS Security (Mar 10)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Miguel Angel Rodríguez Jódar (Mar 12)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Evans, Arian (Mar 10)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Daniel Cross (Mar 12)