Bugtraq mailing list archives

RE: Windows Server 2003 and XP SP2 LAND attack vulnerability

From: "Daniel Cross" <dcross () woosh co nz>
Date: Fri, 11 Mar 2005 13:58:41 +1300

Thats intersting.
I haven't tested my 2k3 box yet, but have tested against XP SP1
(Pentium 4 2.6G).
I didn't get the 100% load on the CPU that others have reported, but
did get symptoms.
I tried ports 135, 139 and 445.
When I tried ports 135 and 139 I saw the average CPU load on the
target machine average 50-60%.
When I tried port 445 I saw the average load become 60-70%.
Some tweaking of packet sizes and intervals gave me an average of
about 75% load with the occasional spike upto 90%.

The machine was still completely usable.

The machine wasn't running any app's so I figured this could be the
cause. I am still yet to try it with a load already running.

However, what you're seeing could possibly account for this, and am
now eager to try it on my 2k3 machine.

I used hping to send the packets, as below (The interval time didn't
make too much differance (a second was fine), and the data size
really didn't make much differance at all - infact it was pretty much
the same with a straight SYN packet):

hping2 192.168.1.5 -s 445 -d 445 -a 192.168.1.5 -i u55 -d 0x15


---- Original Message ----
From: Arian.Evans () fishnetsecurity com
To: jono () networkcommand com, bugtraq () securityfocus com,
dejan () levaja com
Subject: RE: Windows Server 2003 and XP SP2 LAND attack vulnerability
Date: Tue, 8 Mar 2005 16:35:23 -0600

FWIW in addition to all the SP2 responses note: cannot replicate on

2000 SP4 or XP SP1

using exact packets that work on SP2.

-ae

----- Original Message ----- 
From: "Jon O." <jono () networkcommand com>
To: "Dejan Levaja" <dejan () levaja com>
Cc: <bugtraq () securityfocus com>
Sent: Monday, March 07, 2005 3:55 PM
Subject: Re: Windows Server 2003 and XP SP2 LAND attack

vulnerability

All:

I would like to hear from someone who can reproduce this. If

you can,

please send
details with OS, patches installed, pcaps, etc. not a report

of what tools

you used
to create the packet, sniff and replay the results. I've

tested this and

either my
machines are magically protected from this attack, or it is

invalid

(despite what
the press might say). I'd like some outside corroboration of

this attack.

Current thread:

Windows Server 2003 and XP SP2 LAND attack vulnerability Dejan Levaja (Mar 05)
- <Possible follow-ups>
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability paul14075 (Mar 08)
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Grndahl (Mar 08)
- Re: Windows Server 2003 and XP SP2 LAND attack vulnerability caldcv (Mar 08)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Detection Services - IS Security (Mar 10)
  - RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Miguel Angel Rodríguez Jódar (Mar 12)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Evans, Arian (Mar 10)
- RE: Windows Server 2003 and XP SP2 LAND attack vulnerability Daniel Cross (Mar 12)