Bugtraq: RE: Windows Server 2003 and XP SP2 LAND attack vulnerability

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

FWIW in addition to all the SP2 responses note: cannot replicate on 2000 SP4 or XP SP1
using exact packets that work on SP2.

-ae

> ----- Original Message ----- 
> From: "Jon O." <jono () networkcommand com>
> To: "Dejan Levaja" <dejan () levaja com>
> Cc: <bugtraq () securityfocus com>
> Sent: Monday, March 07, 2005 3:55 PM
> Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
>
>
> > All:
> >
> > I would like to hear from someone who can reproduce this. If 
> you can, 
> > please send
> > details with OS, patches installed, pcaps, etc. not a report 
> of what tools 
> > you used
> > to create the packet, sniff and replay the results. I've 
> tested this and 
> > either my
> > machines are magically protected from this attack, or it is invalid 
> > (despite what
> > the press might say). I'd like some outside corroboration of 
> this attack.
> > On 05-Mar-2005, Dejan Levaja wrote:
> > > Hello, everyone.
> > >
> > > Windows Server 2003 and XP SP2 (with Windows Firewall 
> turned off)  are 
> > > vulnerable to LAND attack.
> > >
> > > LAND attack:
> > >  Sending TCP packet with SYN flag set, source and 
> destination IP address 
> > > and source and destination port as of destination machine, 
> results in 
> > > 15-30 seconds DoS condition.
> > >
> > >
> > > Tools used:
> > >  IP Sorcery for creating malicious packet, Ethereal for 
> sniffing it and 
> > > tcpreplay for replaying.
> > >
> > > Results:
> > >  Sending single LAND packet to file server causes Windows explorer 
> > > freezing on all workstations currently connected to the 
> server. CPU on 
> > > server goes 100%. Network monitor on the victim server 
> sometimes can not 
> > > even sniff malicious packet. Using tcpreplay to script this attack 
> > > results in total collapse of the network.
> > >
> > > Vulnerable operating systems:
> > > Windows 2003
> > > XP SP2
> > > other OS not tested (I have other things to do currently ? 
> like checking 
> > > firewalls on my networks ;) )
> > >
> > > Solution:
> > >  Use Windows Firewall on workstations, use some firewall capable of 
> > > detecting LAND attacks in front of your servers.
> > >
> > > Ethic:
> > >  Microsoft was informed 7 days ago (25.02.2005, GMT +1, 
> local time), NO 
> > > answer received, so I decided to share this info with 
> security community.
> > > Dejan Levaja
> > > System Engineer
> > > Bulevar JNA 251
> > > 11000 Belgrade
> > > Serbia and Montenegro
> > > cell: +381.64.36.00.468
> > > email: dejan () levaja com