Bugtraq mailing list archives
RE: Windows Server 2003 and XP SP2 LAND attack vulnerability
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 8 Mar 2005 16:35:23 -0600
FWIW in addition to all the SP2 responses note: cannot replicate on 2000 SP4 or XP SP1 using exact packets that work on SP2. -ae
----- Original Message ----- From: "Jon O." <jono () networkcommand com> To: "Dejan Levaja" <dejan () levaja com> Cc: <bugtraq () securityfocus com> Sent: Monday, March 07, 2005 3:55 PM Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerabilityAll: I would like to hear from someone who can reproduce this. Ifyou can,please send details with OS, patches installed, pcaps, etc. not a reportof what toolsyou used to create the packet, sniff and replay the results. I'vetested this andeither my machines are magically protected from this attack, or it is invalid (despite what the press might say). I'd like some outside corroboration ofthis attack.On 05-Mar-2005, Dejan Levaja wrote:Hello, everyone. Windows Server 2003 and XP SP2 (with Windows Firewallturned off) arevulnerable to LAND attack. LAND attack: Sending TCP packet with SYN flag set, source anddestination IP addressand source and destination port as of destination machine,results in15-30 seconds DoS condition. Tools used: IP Sorcery for creating malicious packet, Ethereal forsniffing it andtcpreplay for replaying. Results: Sending single LAND packet to file server causes Windows explorer freezing on all workstations currently connected to theserver. CPU onserver goes 100%. Network monitor on the victim serversometimes can noteven sniff malicious packet. Using tcpreplay to script this attack results in total collapse of the network. Vulnerable operating systems: Windows 2003 XP SP2 other OS not tested (I have other things to do currently ?like checkingfirewalls on my networks ;) ) Solution: Use Windows Firewall on workstations, use some firewall capable of detecting LAND attacks in front of your servers. Ethic: Microsoft was informed 7 days ago (25.02.2005, GMT +1,local time), NOanswer received, so I decided to share this info withsecurity community.Dejan Levaja System Engineer Bulevar JNA 251 11000 Belgrade Serbia and Montenegro cell: +381.64.36.00.468 email: dejan () levaja com
Current thread:
- Windows Server 2003 and XP SP2 LAND attack vulnerability Dejan Levaja (Mar 05)
- <Possible follow-ups>
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability paul14075 (Mar 08)
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Grndahl (Mar 08)
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability caldcv (Mar 08)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Detection Services - IS Security (Mar 10)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Miguel Angel Rodríguez Jódar (Mar 12)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Evans, Arian (Mar 10)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Daniel Cross (Mar 12)