Several security organizations are reporting that Windows XP with SP2 and Windows 2003 are vulnerable to a LAND attack, in which affected computers suffer a denial of service. But experts said defending networks against it isn't very difficult.
"Defending against a LAND attack isn't all that hard," the Bethesda, Md.-based SANS Internet Storm Center (ISC) said in a Web site message Monday. "Proper ingress filtering should prevent spoofed traffic from entering your network in the first place. Any personal firewall will block the attack, and turning off unneeded services will reduce the number of ports that will expose you to the attack."
Danish security firm Secunia said the security hole, discovered by researcher Dejan Levaja, is caused by improperly handled Internet Protocol (IP) packets "with the same destination and source IP and the SYN flag set. This causes a system to consume all available [central processing unit] CPU resources for a certain period of time."
UNIRAS, the British government's Computer Emergency Response Team (CERT), said in another advisory that the problem may not be limited to Microsoft products:
"UNIRAS has identified a multi-vendor problem that if exploited could result in a denial-of-service issue," the advisory said. "The full scope of the problem is still being investigated but the basic issue is that a number of [Transmission Control Protocol/Internet Protocol] TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts."
UNIRAS said it "replicated" the problem against systems running Windows XP SP2 and Server 2003 that were not running the host-based firewall software.
The ISC said so far, its analysis has found that:
- Windows XP appears to be vulnerable only if SP2 is installed;
- Windows 2003 is vulnerable;
- On systems with multiple CPUs, only one CPU will be "maxed out." These systems remain responsive (but will be slower); and
- Hyperthreading systems (newer Pentium IVs) behave like dual CPU systems in that the total load reaches 50%.