In-Reply-To: <20050307215532.GA24251@xxxxxxxxxxxxxxxxxxxx> Hello I've been able to reproduce this. I used ipmagic on debian 3.0 and sendt a packet to a fully patched Windows 2003 server running on Vmware ESX server. I got a 1-5 sec. 100% load on the CPU on the target server. 1 packet/pr. sec. was enough to keep the CPU on 100% load. Espen Grøndahl >Received: (qmail 25355 invoked from network); 8 Mar 2005 04:31:31 -0000 >Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27) > by mail.securityfocus.com with SMTP; 8 Mar 2005 04:31:31 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 663A42373B4; Mon, 7 Mar 2005 15:12:20 -0700 (MST) >Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx> >List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx> >List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx> >Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx >Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx >Received: (qmail 30519 invoked from network); 7 Mar 2005 14:39:33 -0000 >Date: Mon, 7 Mar 2005 13:55:32 -0800 >From: "Jon O." <jono@xxxxxxxxxxxxxxxxxx> >To: Dejan Levaja <dejan@xxxxxxxxxx> >Cc: bugtraq@xxxxxxxxxxxxxxxxx >Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability >Message-ID: <20050307215532.GA24251@xxxxxxxxxxxxxxxxxxxx> >References: <20050305181714.22945.qmail@xxxxxxxxxxxxxxxxxxxxx> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >In-Reply-To: <20050305181714.22945.qmail@xxxxxxxxxxxxxxxxxxxxx> >User-Agent: Mutt/1.4.1i >X-No-Archive: yes >X-Scanned-By: logoscan > >All: > >I would like to hear from someone who can reproduce this. If you can, please send >details with OS, patches installed, pcaps, etc. not a report of what tools you used >to create the packet, sniff and replay the results. I've tested this and either my >machines are magically protected from this attack, or it is invalid (despite what >the press might say). I'd like some outside corroboration of this attack. > > >On 05-Mar-2005, Dejan Levaja wrote: >> >> >> Hello, everyone. >> >> Windows Server 2003 and XP SP2 (with Windows Firewall turned off) are vulnerable to LAND attack. >> >> LAND attack: >> Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition. >> >> >> Tools used: >> IP Sorcery for creating malicious packet, Ethereal for sniffing it and tcpreplay for replaying. >> >> Results: >> Sending single LAND packet to file server causes Windows explorer freezing on all workstations currently connected to the server. CPU on server goes 100%. Network monitor on the victim server sometimes can not even sniff malicious packet. Using tcpreplay to script this attack results in total collapse of the network. >> >> Vulnerable operating systems: >> Windows 2003 >> XP SP2 >> other OS not tested (I have other things to do currently ? like checking firewalls on my networks ;) ) >> >> Solution: >> Use Windows Firewall on workstations, use some firewall capable of detecting LAND attacks in front of your servers. >> >> Ethic: >> Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community. >> >> >> Dejan Levaja >> System Engineer >> Bulevar JNA 251 >> 11000 Belgrade >> Serbia and Montenegro >> cell: +381.64.36.00.468 >> email: dejan@xxxxxxxxxx >> >
