Bugtraq mailing list archives

RE: Windows Server 2003 and XP SP2 LAND attack vulnerability

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 8 Mar 2005 16:35:23 -0600

FWIW in addition to all the SP2 responses note: cannot replicate on 2000 SP4 or XP SP1
using exact packets that work on SP2.

-ae

----- Original Message ----- 
From: "Jon O." <jono () networkcommand com>
To: "Dejan Levaja" <dejan () levaja com>
Cc: <bugtraq () securityfocus com>
Sent: Monday, March 07, 2005 3:55 PM
Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability

All:

I would like to hear from someone who can reproduce this. If

you can,

please send
details with OS, patches installed, pcaps, etc. not a report

of what tools

you used
to create the packet, sniff and replay the results. I've

tested this and

either my
machines are magically protected from this attack, or it is invalid 
(despite what
the press might say). I'd like some outside corroboration of

this attack.



On 05-Mar-2005, Dejan Levaja wrote:



Hello, everyone.

Windows Server 2003 and XP SP2 (with Windows Firewall

turned off)  are

vulnerable to LAND attack.

LAND attack:
 Sending TCP packet with SYN flag set, source and

destination IP address

and source and destination port as of destination machine,

results in

15-30 seconds DoS condition.


Tools used:
 IP Sorcery for creating malicious packet, Ethereal for

sniffing it and

tcpreplay for replaying.

Results:
 Sending single LAND packet to file server causes Windows explorer 
freezing on all workstations currently connected to the

server. CPU on

server goes 100%. Network monitor on the victim server

sometimes can not

even sniff malicious packet. Using tcpreplay to script this attack 
results in total collapse of the network.

Vulnerable operating systems:
Windows 2003
XP SP2
other OS not tested (I have other things to do currently ?

like checking

firewalls on my networks ;) )

Solution:
 Use Windows Firewall on workstations, use some firewall capable of 
detecting LAND attacks in front of your servers.

Ethic:
 Microsoft was informed 7 days ago (25.02.2005, GMT +1,

local time), NO

answer received, so I decided to share this info with

security community.



Dejan Levaja
System Engineer
Bulevar JNA 251
11000 Belgrade
Serbia and Montenegro
cell: +381.64.36.00.468
email: dejan () levaja com

Current thread:

Windows Server 2003 and XP SP2 LAND attack vulnerability Dejan Levaja (Mar 05)
- <Possible follow-ups>
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability paul14075 (Mar 08)
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Grndahl (Mar 08)
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability caldcv (Mar 08)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Detection Services - IS Security (Mar 10)
  - RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Miguel Angel Rodríguez Jódar (Mar 12)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Evans, Arian (Mar 10)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Daniel Cross (Mar 12)