RE: Windows Server 2003 and XP SP2 LAND attack vulnerability

[Miguel Angel Rodríguez Jódar <rodriguj () atc us es>]

> I would like to hear from someone who can reproduce this. If you can,
> please send
> details with OS, patches installed, pcaps, etc. not a report of what

I've tested the original land attack against a Windows XP box SP2, spanish
version, fw disabled, patches up to date, attacker and victim on the same
subnet. Tested on ports 139, 445 and 4899 (remote administrator service). In
all cases, after sending one "landed" packet, CPU usage raised from 2% to
77% and from then, to 100%, then back to 2%. The whole sequence took about
20 seconds.

If I tried the attack while the screensaver was active, it halted for those
20 seconds, and then back to normal.

I've not been able to reproduce this on a XP SP2 behind a firewall, with a
port mapped from the firewall to the machine. I tried modifying the land
source code to use a source IP identical to the machine internal IP, in the
hope that, after NAT translation, IP source and IP destination will be the
same and the attack would work, but no luck.

Tried also on a XP SP2, same characteristics as the previous one, but this
time not on my subnet, but many routers away. Apparently, no bad effects.

I took the land binary to a Linux machine on the same subnet as this second
XP box. Tried again and it worked!

After this test, I enabled Zone Alarm on this WinXP box and tried again:
this time it worked, but it was necesary about 30 packets (1 second packet
rate) to raise CPU usage to 100%. Inmediately after stopping the packet
generator, the CPU usage came back to normal.

Hope this helps on clarifying the matter.

--
Miguel Angel Rodriguez Jodar | http://www.atc.us.es
Departamento de Arquitectura y Tecnologia de Computadores
Universidad de Sevilla
Spain