Land
CVE 1999-0016
Description of Land
This DoS attack affects Windows 95/NT machines and various flavors of
UNIX, including SunOS, several BSD UNIX versions and networked
Macintosh machines. Check Rootshell's
Land
page for a partial listing of affected operating systems. This attack
can also effect some Cisco routers and
TCP/IP-based
printing devices.
The Land Denial of Service attack works by sending a spoofed
packet
with the SYN flag - used in a "handshake" between a client and a host - set from a host to
any port that is open and listening. If the packet is programmed to have the same
destination and source IP address, when it is sent to a machine, via
IP spoofing, the transmission
can fool the machine into thinking it is sending itself a message, which, depending
on the operating system, will crash the machine.
Symptoms of Attack
The Land attack will affect different operating systems in different ways.
For instance, this attack will cause a Windows NT 4.0 machine (with Service Pack 3 and all
applicable hot fixes applied) to slow down for approximately sixty (60) seconds, after which
it will resume normal operations without other effects. Windows 95 machines, on the other hand,
will either crash or lock-up, requiring that they be rebooted. Most UNIX
machines will either crash or hang, and not allow users to access services on the machine.
How can I fix this vulnerability?
A workaround for the Land attack is to block
IP-spoofed packets.
Attacks such as Land rely on the use of forged packets, that is, packets where the
attacker deliberately falsifies the origin address. With the current IP protocol technology,
it is impossible to eliminate IP-spoofed packets. However, a site administrator can reduce
the likelihood of having his or her network being used to initiate forged packets by filtering
outgoing packets that have a source address different from that of the internal network. While
this workaround does not specifically address a fix for this vulnerability,
it does address the cause. As more administrators implement this filtering method, denial of
service attacks based on IP-spoofing will diminish. If you would like to read more about this
filtering method, read RFC 2267 - "Network
Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing".
Specific fixes for this vulnerability may be obtained from the maker of your operating system.
A listing of patches sorted by vendor is available in
CERT Advisory 97.28.
Patches and workarounds are also available for
Windows NT and
Windows 95
machines. Patches for Windows based machines can also be found at WindowsCentral's
Internet Security
site.
Where can I read more about this?
To read more about the Land attack, check out
CERT Advisory 97.28.
Additional information may be found at
IRChelp and
Microsoft's Land
page. Visit Rootshell
for technical information and the source code for the Land program. To keep abreast of
existing and emerging Denial of Service attacks, and other security threats, visit the
Microsoft Security Advisor, the
Windows Central Bug Site,
and/or CERT. If information on a specific attack is not
located on these sites, keep checking back as they are updated frequently.