We are receiving various results from people testing the LAND attack against various versions of Windows with mixed results. A small correction and addition to yesterday's diary:
* you need to add the '--keep' parameter to the hping command. Otherwise, the source port will be incremented with each packet send.
* the attack will only work against listening ports.
Summary of what we found so far:
Windows XP appears to be vulnerable only if SP-2 is installed.
Windows 2003 is vulnerable.
On systems with multiple CPUs, only one CPU will be 'maxed out'. These systems remain responsive (but will be slower)
Hyperthreading systems (newer Pentium IVs) behave like dual CPU systems in that the total load reaches 50%.
An OpenBSD program was released as well to just launch this particular attack.
hping command line:
I do recommend that you make sure that the port is listening and not firewalled. You can do this with this hping command:
expected output if the port is open:
Defending against a LAND attack isn't all that hard. Proper ingress filtering should prevent spoofed traffic from entering your network in the first place. Any personal firewall will block the attack, and turning off unneeded services will reduce the number of ports that will expose you to the attack.
If you run the test, please let us know and include:
* target OS version and patch level?
* what language version of Windows are you using?
* target port used (and was it open/closed)?
What is a 'LAND Attack'
Just a quick refresher for everyone:
The basic idea is to send a packet to a system where the source IP is set to match the systems IP. The SYN flag has to be set. So the packet will arrive with source ip = target ip. As a result, the system will attempt to reply to itself, causing a lock up of the system.
The earliest mention of this attack I found was from 1997 against Windows, Sun OS, BSD and Macs. All these systems share a BSD based TCP/IP stack.
Reminder: Diary reuse
After correcting the 'hping' options, we where contacted by subscribers to commericial vulnerabilty alerts. They noted that their for-pay service for some reason used the same (slightly wrong) hping command line as the one we posted yesterday.
We do not mind inclusion of diary excerpts in publications available to the public for free, as long as proper credit is given. We do however not allow the resale of diary excerpts as part of a commericial service without explicit written permission. For any questions, contact us at http://isc.sans.org/contact.php .
Quick DNS poisoning update
We got one report where a DNS server responded with 'poisoned results' and flushing the cache didn't correct the problem is usually the result of a DNS server compromise beyond a simple cache poisoning. If you observed a similar issue, please let us know.
In the meantime, Symantec released a hotfix for the DNS cache poisoning issue.
See and the related .
A few non-Symantec users reported similar issues, so this is not limited to Symantec.
If you got infected by the ABX toolbar, here are some removal instructions provided by a reader:
Run Regedit and search for "abx" (do not include quotes).
Remove all references containing "abx" from the registry.
There are at least two Keys in the registry that contain several
Values related to this spyware. On my test workstation, one of them
I am not sure, but the "xbtb01186" may be a randomly generated Key,
but within that Key will be several Values with "abx" references.
Remove the entire Key starting at "xbtb01186".
You will need to delete two files in the "Download Program Files"
directory under your Windows directory. In Windows XP they will be
under c:\windows\Download Program Files. In NT they will be under
c:\winnt\Download Program Files. The file names are:
The "Download Program Files" directory stores the ActiveX Cache used
when starting up Internet Explorer. This directory may be hidden, so
make sure your Explorer settings allow you to view hidden files.
SSH Brute forcing
Brian send us a log of a ssh brute force attack. The attack was launched from multiple sources and appears coordinated. The sources hit the target at the same time, and used different sets of usersnames. Overall, more then a 100 usernames where used and each one was used 4 times (suggesting 4 different passwords). The attack lasted about 20 minutes.
Yesterday's IM malware is now identified by Symantec as 'W32.Kelvir.B'
Brazilian Honeynet Statistics Page
The brazilian honeynet project made a nice statistics page public which show a summary of traffic received by the honeynet. For details, see:
Johannes Ullrich, email@example.com
CTO SANS Internet Storm Center
I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020
Mar 8th 2005
1 decade ago