'Land' Bug Back to Bedevil Microsoft Servers
March 7, 2005

Need another excuse to run a firewall? Windows Server 2003 and XP SP2 machines without properly configured firewalls are at risk of a Denial of Service attack via the "LAND" bug, according to a security researcher.

Microsoft said it is looking into the situation and claims the potential issue cannot be used by an attacker to run malicious software on a computer.

In a post to the Bugtraq security mailing list, security researcher Dejan Levaja described how the LAND attack could create a DoS condition on a target server. "Sending [a] TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition," Levanja explained in the post.

The LAND attack is carried out with the help of a trio of open source-licensed tools intended to help network administrators troubleshoot and test their networks.

The IP Sorcery application, which is loosely connected to an underground computer security group called Legions of the Underground, allows for custom TCP packet generation, which is how the malicious packet in the LAND attack is created. Ethereal, the popular network protocol analyzer included in most major Linux distributions, is used for "sniffing" the packet.

According to Levaja, by sending the crafted LAND packet, the CPU utilization on the target server hits 100 percent and causes Windows Explorer to freeze on all connected workstations. The third open source tool utilized is tcpreplay, which is used in Dejan's scenario to "replay" the LAND packet in order to create a sustained DoS. The result could be a "total collapse of the network."

Levaja told internetnews.com that he discovered the flaw quite unintentionally. "I was pen testing my network using the Auditor Security Collection live Linux distribution. One of the tools on the CD was the IP Sorcery, which I used to construct LAND packet for fun, believing that it is an attack from ancient history, not even thinking about possibility that it might work," he said.

He claims he informed Microsoft of the issue on Feb. 25, 2005, and received no reply.

A Microsoft spokesperson told internetnews.com that Microsoft's initial investigation has revealed that the reported vulnerability cannot be used by an attacker to run malicious software on a computer. In fact, Dejan only claims a DoS and not the execution of arbitrary code.

"At this point, our analysis indicates the impact of a successful attack would be to cause the computer to perform sluggishly for a short period of time," the Microsoft spokesperson explained. "Customers running the Windows Firewall, enabled by default on Windows XP Service Pack 2, are not impacted by this issue. In addition, customers who have applied our TCP/IP hardening practices described in Knowledge Base Article 324270 are likewise protected from an attack attempting to utilize this issue."

Normally Microsoft issues security updates on the first Tuesday of every month, and usually warns users several days before the updates are issued. So far in March, Microsoft has given no indication at this point that any update will in fact be issued tomorrow. Last month's update was one of the largest yet with more than a dozen different issues patched.

Microsoft's spokesperson indicated, however, that upon completion of the investigation into the LAND vulnerability, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through its monthly release process or an out-of-cycle security update, depending on customer needs.

Updates prior version to include direct quotes from Dejan Levaja