Windows NT & 95 LAND
Attack
Reported November 17, 1997
Systems Affected
Windows NT and 95
Description:
Abnormal packets cause
slowdowns on these systems
Demonstration Code:
Source Code for Latierra, a modified LAND.C
attacker
Microsoft"s Response:
DOCUMENT:Q165005
TITLE :Windows NT Slows Down Due to Land Attack
PRODUCT :Microsoft Windows NT
PROD/VER:4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug kbbug4.00 kbenv kbfix4.00 kbpatch NTSrvWkst nttcp
The information in this article applies to:
- Microsoft Windows NT Workstation version 4.0
- Microsoft Windows NT Server version 4.0
- Microsoft Windows NT Server Enterprise Edition version 4.0
--------------------------------------------------------------------------
SYMPTOMS
========
After receiving spoofed connection request (SYN) packets,
Windows NT may begin to operate slowly. After about one minute, Windows NT returns to
normal operation.
NOTE: This problem may occur with TCP/IP on other operating
systems as well.
CAUSE
=====
This behavior occurs due to "Land Attack". Land
Attack sends SYN packets with the same source and destination IP addresses and the same
source and destination ports to a host computer. This makes it appear as if the host
computer sent the packet to itself. Windows NT operates more slowly while the host
computer tries to respond to itself.
RESOLUTION
==========
To resolve this problem, obtain the following fix or wait for
the next Windows NT service pack.
This fix should have the following time stamp:
11/25/97 04:54p 143,472 Tcpip.sys (Intel)
11/25/97 04:52p 263,375 Tcpip.sys (Alpha)
This hotfix has been posted HERE
NOTE: This fix supercedes the ICMP-fix, OOB-fix, and the
Simptcp-fix hotfixes.
STATUS
======
Microsoft has confirmed this to be a problem in Windows NT
version 4.0. A supported fix is now available, but has not been fully regression-tested
and should be applied only to systems experiencing this specific problem. Unless you are
severely impacted by this specific problem, Microsoft recommends that you wait for the
next Service Pack that contains this fix. Contact Microsoft Technical Support for more
information.
MORE INFORMATION
================
For information on the hotfix for Windows 95, please see the
following
article in the Microsoft Knowledge Base:
ARTICLE-ID: Q177539
TITLE : Windows 95 Stops Responding Because of Land Attack
Additional query words: 4.00 port 139
=======================
Windows 95 Information =======================
DOCUMENT:Q177539
TITLE :Windows 95 Stops Responding Because of Land Attack
PRODUCT :Microsoft Windows 95
PROD/VER:95
OPER/SYS:WINDOWS
KEYWORDS:kbbug kbenv kbpatch
The information in this article applies to:
- Microsoft Windows 95
- Microsoft Windows 95 OEM Service Release versions 1, 2, 2.1
---------------------------------------------------------------------
SYMPTOMS
========
After receiving spoofed connection request (SYN) packets over TCP/IP, a computer running
Windows 95 may begin to operate slowly. After about one minute, Windows returns to normal
operation.
This problem may occur with TCP/IP on other operating systems as well.
CAUSE
=====
This behavior occurs due to "Land Attack." Land Attack sends SYN packets with
the same source and destination IP addresses and the same source and destination ports to
a host computer. This makes it appear as if the host computer sent the packets to itself.
Windows 95 operates more slowly while the host computer tries to respond to itself.
RESOLUTION
==========
Without WinSock 2.0 Update
--------------------------
This issue is resolved by the following updated file for Windows 95 and Windows 95 OEM
Service Release 2 (OSR2) without the WinSock 2.0 update only:
Vtcp.386 version 4.00.956 (dated 11/26/97) and later
To install this update, follow these steps:
1. Download the Vtcpup11.exe file from the Microsoft Software library to an empty folder
on your hard disk..
2. In My Computer or Windows Explorer, double-click the Vtcpup11.exe file you downloaded
in step 1.
3. Follow the instructions on the screen.
The following file(s) are available for download from the Microsoft Software Library:
~ Vtcpup11.exe
For more information about downloading files from the Microsoft Software Library, please
see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q119591
TITLE : How to Obtain Microsoft Support Files from Online Services
The following files are installed by Vtcpup11.exe:
File name Version Date/Time Size Destination folder
----------------------------------------------------------------------
Vtcp.386 4.00.956 11/26/97 9:56a 47,413 Windows\System
With WinSock 2.0 Update
-----------------------
Microsoft has confirmed this to be a problem in the WinSock 2.0 update for Windows 95. We
are researching this problem and will post new information here in the Microsoft Knowledge
Base as it becomes available.
STATUS
======
Microsoft has confirmed this to be a problem in Microsoft Windows 95 and OEM Service
Release 2 (OSR2). An update to address this problem is now available, but is not fully
regression tested and should be applied only to computers experiencing this specific
problem. Unless you are severely impacted by this specific problem, Microsoft does not
recommend implementing this update at this time. Contact Microsoft Technical Support
for more information.
MORE INFORMATION
================
For additional information about this issue as it applies to Microsoft Windows NT, please
see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q165005
TITLE : Windows NT Slows Down Due to Land Attack
For additional information about issues resolved by updates to this component, please see
the following articles in the Microsoft Knowledge Base:
ARTICLE-ID: Q170791
TITLE : Windows 95 TCP Clients Run Out of Ports
ARTICLE-ID: Q168747
TITLE : Update to Windows 95 TCP/IP to Address Out-of-Band Issue
Additional query words: 95
© 1998 Microsoft Corporation. All
rights reserved. Terms of Use.
To learn more about
new NT security concerns, subscribe to NTSD.
Posted here at NTSecurity.Net February 15, 1997 |
Register
