Windows NT & 95 LAND Attack

Windows NT & 95 LAND Attack

Reported November 17, 1997

Systems Affected

Windows NT and 95

Description:

Abnormal packets cause slowdowns on these systems

Demonstration Code:

Source Code for Latierra, a modified LAND.C attacker

Microsoft"s Response:

DOCUMENT:Q165005
TITLE :Windows NT Slows Down Due to Land Attack
PRODUCT :Microsoft Windows NT
PROD/VER:4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug kbbug4.00 kbenv kbfix4.00 kbpatch NTSrvWkst nttcp

The information in this article applies to:

- Microsoft Windows NT Workstation version 4.0
- Microsoft Windows NT Server version 4.0
- Microsoft Windows NT Server Enterprise Edition version 4.0
--------------------------------------------------------------------------

SYMPTOMS
========

After receiving spoofed connection request (SYN) packets, Windows NT may begin to operate slowly. After about one minute, Windows NT returns to normal operation.

NOTE: This problem may occur with TCP/IP on other operating systems as well.

CAUSE
=====

This behavior occurs due to "Land Attack". Land Attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host computer. This makes it appear as if the host computer sent the packet to itself. Windows NT operates more slowly while the host computer tries to respond to itself.

RESOLUTION
==========

To resolve this problem, obtain the following fix or wait for the next Windows NT service pack.

This fix should have the following time stamp:

11/25/97 04:54p 143,472 Tcpip.sys (Intel)
11/25/97 04:52p 263,375 Tcpip.sys (Alpha)

This hotfix has been posted HERE

NOTE: This fix supercedes the ICMP-fix, OOB-fix, and the Simptcp-fix hotfixes.

STATUS
======

Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

MORE INFORMATION
================

For information on the hotfix for Windows 95, please see the following
article in the Microsoft Knowledge Base:

ARTICLE-ID: Q177539
TITLE : Windows 95 Stops Responding Because of Land Attack

Additional query words: 4.00 port 139

======================= Windows 95 Information =======================

DOCUMENT:Q177539
TITLE :Windows 95 Stops Responding Because of Land Attack
PRODUCT :Microsoft Windows 95
PROD/VER:95
OPER/SYS:WINDOWS
KEYWORDS:kbbug kbenv kbpatch

The information in this article applies to:

- Microsoft Windows 95
- Microsoft Windows 95 OEM Service Release versions 1, 2, 2.1
---------------------------------------------------------------------

SYMPTOMS
========

After receiving spoofed connection request (SYN) packets over TCP/IP, a computer running Windows 95 may begin to operate slowly. After about one minute, Windows returns to normal operation.

This problem may occur with TCP/IP on other operating systems as well.

CAUSE
=====

This behavior occurs due to "Land Attack." Land Attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host computer. This makes it appear as if the host computer sent the packets to itself. Windows 95 operates more slowly while the host computer tries to respond to itself.

RESOLUTION
==========

Without WinSock 2.0 Update
--------------------------

This issue is resolved by the following updated file for Windows 95 and Windows 95 OEM Service Release 2 (OSR2) without the WinSock 2.0 update only:

Vtcp.386 version 4.00.956 (dated 11/26/97) and later

To install this update, follow these steps:

1. Download the Vtcpup11.exe file from the Microsoft Software library to an empty folder on your hard disk..

2. In My Computer or Windows Explorer, double-click the Vtcpup11.exe file you downloaded in step 1.

3. Follow the instructions on the screen.

The following file(s) are available for download from the Microsoft Software Library:

~ Vtcpup11.exe

For more information about downloading files from the Microsoft Software Library, please see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: Q119591
TITLE : How to Obtain Microsoft Support Files from Online Services

The following files are installed by Vtcpup11.exe:

File name Version Date/Time Size Destination folder
----------------------------------------------------------------------
Vtcp.386 4.00.956 11/26/97 9:56a 47,413 Windows\System

With WinSock 2.0 Update
-----------------------

Microsoft has confirmed this to be a problem in the WinSock 2.0 update for Windows 95. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.

STATUS
======

Microsoft has confirmed this to be a problem in Microsoft Windows 95 and OEM Service Release 2 (OSR2). An update to address this problem is now available, but is not fully regression tested and should be applied only to computers experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft does not recommend implementing this update at this time. Contact Microsoft Technical Support
for more information.

MORE INFORMATION
================

For additional information about this issue as it applies to Microsoft Windows NT, please see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: Q165005
TITLE : Windows NT Slows Down Due to Land Attack

For additional information about issues resolved by updates to this component, please see the following articles in the Microsoft Knowledge Base:

ARTICLE-ID: Q170791
TITLE : Windows 95 TCP Clients Run Out of Ports

ARTICLE-ID: Q168747
TITLE : Update to Windows 95 TCP/IP to Address Out-of-Band Issue

Additional query words: 95

© 1998 Microsoft Corporation. All rights reserved. Terms of Use.

To learn more about new NT security concerns, subscribe to NTSD.

Posted here at NTSecurity.Net February 15, 1997

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish