Re: Windows Server 2003 and XP SP2 LAND attack vulnerability

From: exon (
Date: 03/11/05

  • Next message: bkfsec: "Re: iDownload/iSearch responds to Spyware Critics"
    Date: Fri, 11 Mar 2005 10:37:20 +0100

    Jon O. wrote:
    > All:
    > I would like to hear from someone who can reproduce this. If you can, please send
    > details with OS, patches installed, pcaps, etc. not a report of what tools you used
    > to create the packet, sniff and replay the results. I've tested this and either my
    > machines are magically protected from this attack, or it is invalid (despite what
    > the press might say). I'd like some outside corroboration of this attack.

    It appears it doesn't work if windows' builtin firewall is turned on,
    even if the attack is sent to an unfiltered and open port. The tcp and
    IP checksums must also be correct, which a lot of older land-attack
    programs failed to produce (I couldn't reproduce on my system with any I
    found online).

    I've also noticed that targeted systems seems to respond to ping during
    the attack, but are completely incapable of doing anything that requires
    CPU resources to be spent in userland (typing text is impossible, moving
    the mouse works fine). Continuous attacks that cross some hardcoded
    packet boundary can even cause the targeted system to rustle back in to
    play early.

    To test it, you'd need to log in and watch the task manager freeze up
    (set update interval to high to make it more obvious).

    Attached is imland.c (improved multiple land), which was designed to
    rapidly and possibly continuously test a wide range of servers. It
    should compile cleanly on most unixen. I've thrown in some usage output
    as well. Please use it responsibly.



  • Next message: bkfsec: "Re: iDownload/iSearch responds to Spyware Critics"