Hello, everyone. Windows Server 2003 and XP SP2 (with Windows Firewall turned off) are vulnerable to LAND attack. LAND attack: Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition. Tools used: IP Sorcery for creating malicious packet, Ethereal for sniffing it and tcpreplay for replaying. Results: Sending single LAND packet to file server causes Windows explorer freezing on all workstations currently connected to the server. CPU on server goes 100%. Network monitor on the victim server sometimes can not even sniff malicious packet. Using tcpreplay to script this attack results in total collapse of the network. Vulnerable operating systems: Windows 2003 XP SP2 other OS not tested (I have other things to do currently ? like checking firewalls on my networks ;) ) Solution: Use Windows Firewall on workstations, use some firewall capable of detecting LAND attacks in front of your servers. Ethic: Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community. Dejan Levaja System Engineer Bulevar JNA 251 11000 Belgrade Serbia and Montenegro cell: +381.64.36.00.468 email: dejan@xxxxxxxxxx
