> I would like to hear from someone who can reproduce this. If you can, > please send > details with OS, patches installed, pcaps, etc. not a report of what I've tested the original land attack against a Windows XP box SP2, spanish version, fw disabled, patches up to date, attacker and victim on the same subnet. Tested on ports 139, 445 and 4899 (remote administrator service). In all cases, after sending one "landed" packet, CPU usage raised from 2% to 77% and from then, to 100%, then back to 2%. The whole sequence took about 20 seconds. If I tried the attack while the screensaver was active, it halted for those 20 seconds, and then back to normal. I've not been able to reproduce this on a XP SP2 behind a firewall, with a port mapped from the firewall to the machine. I tried modifying the land source code to use a source IP identical to the machine internal IP, in the hope that, after NAT translation, IP source and IP destination will be the same and the attack would work, but no luck. Tried also on a XP SP2, same characteristics as the previous one, but this time not on my subnet, but many routers away. Apparently, no bad effects. I took the land binary to a Linux machine on the same subnet as this second XP box. Tried again and it worked! After this test, I enabled Zone Alarm on this WinXP box and tried again: this time it worked, but it was necesary about 30 packets (1 second packet rate) to raise CPU usage to 100%. Inmediately after stopping the packet generator, the CPU usage came back to normal. Hope this helps on clarifying the matter. -- Miguel Angel Rodriguez Jodar | http://www.atc.us.es Departamento de Arquitectura y Tecnologia de Computadores Universidad de Sevilla Spain
