lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9F28DD3D3674AD43A106ADDA119FAC3201A3D68E@ammspj30.pad.nwa.com>
Date: Tue, 8 Mar 2005 13:52:09 -0600
From: "Detection Services - IS Security" <secdet@....com>
To: "Jon O." <jono@...workcommand.com>,
	"Dejan Levaja" <dejan@...aja.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Windows Server 2003 and XP SP2 LAND attack vulnerability


My Microsoft Tech Support liason (TAM) confirms this to be true, but has
no further information at this time.

-----Original Message-----
From: Jon O. [mailto:jono@...workcommand.com] 
Sent: Monday, March 07, 2005 3:56 PM
To: Dejan Levaja
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability


All:

I would like to hear from someone who can reproduce this. If you can,
please send
details with OS, patches installed, pcaps, etc. not a report of what
tools you used
to create the packet, sniff and replay the results. I've tested this and
either my
machines are magically protected from this attack, or it is invalid
(despite what
the press might say). I'd like some outside corroboration of this
attack.


On 05-Mar-2005, Dejan Levaja wrote:
> 
> 
> Hello, everyone.
> 
> Windows Server 2003 and XP SP2 (with Windows Firewall turned off)  are
vulnerable to LAND attack. 
> 
> LAND attack:
>  Sending TCP packet with SYN flag set, source and destination IP
address and source and destination port as of destination machine,
results in 15-30 seconds DoS condition. 
> 
> 
> Tools used:
>  IP Sorcery for creating malicious packet, Ethereal for sniffing it
and tcpreplay for replaying. 
> 
> Results:
>  Sending single LAND packet to file server causes Windows explorer
freezing on all workstations currently connected to the server. CPU on
server goes 100%. Network monitor on the victim server sometimes can not
even sniff malicious packet. Using tcpreplay to script this attack
results in total collapse of the network.
> 
> Vulnerable operating systems:
> Windows 2003
> XP SP2
> other OS not tested (I have other things to do currently ? like
checking firewalls on my networks ;) )
> 
> Solution:
>  Use Windows Firewall on workstations, use some firewall capable of
detecting LAND attacks in front of your servers.
> 
> Ethic:
>  Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time),
NO answer received, so I decided to share this info with security
community. 
> 
> 
> Dejan Levaja
> System Engineer 
> Bulevar JNA 251
> 11000 Belgrade
> Serbia and Montenegro
> cell: +381.64.36.00.468
> email: dejan@...aja.com
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ