Re: LAND attack vulnerability on Windows Server 2003 and Windows XP

• Previous message: Marc Maiffret: "FW: Update: MS05-011 EEYE: Windows SMB Client Transaction Response Handling Vulnerability"
• In reply to: James Rankin: "LAND attack vulnerability on Windows Server 2003 and Windows XP"
• Next in thread: Thierry Zoller: "Re: LAND attack vulnerability on Windows Server 2003 and Windows XP"
• Reply: Thierry Zoller: "Re: LAND attack vulnerability on Windows Server 2003 and Windows XP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 8 Mar 2005 11:48:42 -0600
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

We used the newland.exe v0.1 "proof of concept" program to "attack" some of
our Windows 2003 Server boxes. In all cases, the target system's CPU usage
went to 100% and stayed like that for 20-30s after the "attack" stopped.

We were able to prevent the 100% CPU utilization by setting the value of
"SynAttackProtect" to 1 or 2 in the TCP/IP parameters:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SynAttackProtect = 1 (DWORD)

Target systems: Windows 2003 Server Enterprise and Standard editions (didn't
work in Windows XP SP2).

More info:
http://support.microsoft.com/default.aspx?scid=kb;en-us;324270

Marcio Vieira
Southeast Missouri State University

> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of James Rankin
> Sent: Tuesday, March 08, 2005 7:26 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: LAND attack vulnerability on Windows Server 2003 and
> Windows XP
>
> A LAND attack vulnerability has been highlighted in Windows
> XP and Windows Server 2003 by Dejan Levaja
>
> http://www.securityfocus.com/archive/1/392354
>
> It was later highlighted by CA as a High risk
>
> http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32520
>
> There has been no vendor response to this as yet. Initial
> testing suggests it works with mixed results on 2003 and XP SP2.

--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

• Previous message: Marc Maiffret: "FW: Update: MS05-011 EEYE: Windows SMB Client Transaction Response Handling Vulnerability"
• In reply to: James Rankin: "LAND attack vulnerability on Windows Server 2003 and Windows XP"
• Next in thread: Thierry Zoller: "Re: LAND attack vulnerability on Windows Server 2003 and Windows XP"
• Reply: Thierry Zoller: "Re: LAND attack vulnerability on Windows Server 2003 and Windows XP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]