FWIW in addition to all the SP2 responses note: cannot replicate on 2000 SP4 or XP SP1 using exact packets that work on SP2. -ae >----- Original Message ----- >From: "Jon O." <jono@xxxxxxxxxxxxxxxxxx> >To: "Dejan Levaja" <dejan@xxxxxxxxxx> >Cc: <bugtraq@xxxxxxxxxxxxxxxxx> >Sent: Monday, March 07, 2005 3:55 PM >Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability > > >> All: >> >> I would like to hear from someone who can reproduce this. If >you can, >> please send >> details with OS, patches installed, pcaps, etc. not a report >of what tools >> you used >> to create the packet, sniff and replay the results. I've >tested this and >> either my >> machines are magically protected from this attack, or it is invalid >> (despite what >> the press might say). I'd like some outside corroboration of >this attack. >> >> >> On 05-Mar-2005, Dejan Levaja wrote: >>> >>> >>> Hello, everyone. >>> >>> Windows Server 2003 and XP SP2 (with Windows Firewall >turned off) are >>> vulnerable to LAND attack. >>> >>> LAND attack: >>> Sending TCP packet with SYN flag set, source and >destination IP address >>> and source and destination port as of destination machine, >results in >>> 15-30 seconds DoS condition. >>> >>> >>> Tools used: >>> IP Sorcery for creating malicious packet, Ethereal for >sniffing it and >>> tcpreplay for replaying. >>> >>> Results: >>> Sending single LAND packet to file server causes Windows explorer >>> freezing on all workstations currently connected to the >server. CPU on >>> server goes 100%. Network monitor on the victim server >sometimes can not >>> even sniff malicious packet. Using tcpreplay to script this attack >>> results in total collapse of the network. >>> >>> Vulnerable operating systems: >>> Windows 2003 >>> XP SP2 >>> other OS not tested (I have other things to do currently ? >like checking >>> firewalls on my networks ;) ) >>> >>> Solution: >>> Use Windows Firewall on workstations, use some firewall capable of >>> detecting LAND attacks in front of your servers. >>> >>> Ethic: >>> Microsoft was informed 7 days ago (25.02.2005, GMT +1, >local time), NO >>> answer received, so I decided to share this info with >security community. >>> >>> >>> Dejan Levaja >>> System Engineer >>> Bulevar JNA 251 >>> 11000 Belgrade >>> Serbia and Montenegro >>> cell: +381.64.36.00.468 >>> email: dejan@xxxxxxxxxx >>> >> > > >
