Random Entry: Limiting Vulnerability Exposure through effective Patch Management - a thesis
< Code of Ethics Presentation | Patch Bundles not the Way >

Seeing LAND brings a Teardrop to the eye

It appears there is a LAND attack (advisory) (exploit) for this century. It affects Windows XP/2003. An attacker sends a packet spoofed to come from the host it is being sent to with the SYN flag set, because this breaks the RFC, Windows' stack doesn't know what to do and consumes all available resources. This attack was originally discovered in 1997 and affected many vendor's products. Here is the mail that started it.

The hping2 command for the attack is:

hping -V -c 100 -d 40 -S -p <port> -s <port> -k -a <host IP> <host IP>

-V for verbose
-c # of packets
-d bytes of data
-S SYN
-p destination port
-s source port
-k keep
-a spoof address

It has been reported that the attack only works on XP with SP2 installed. Also if a multiple CPU systemis attacked only one CPU is maxed out.

UPDATE: I tested this against a fully patched Windows 2003 Server machine with two hyper-threaded CPUs. It maxed out 1 of 4 CPUs for a total of 26% load for 22 seconds per packet. Fun.

Tuesday, March 8. 2005
Posted by Dominic White in Security
Comments (0) | Trackbacks (0)

Last modified on 2005-03-10 10:04

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry