We used the newland.exe v0.1 "proof of concept" program to "attack" some of
our Windows 2003 Server boxes. In all cases, the target system's CPU usage
went to 100% and stayed like that for 20-30s after the "attack" stopped.
We were able to prevent the 100% CPU utilization by setting the value of
"SynAttackProtect" to 1 or 2 in the TCP/IP parameters:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SynAttackProtect = 1 (DWORD)
Target systems: Windows 2003 Server Enterprise and Standard editions (didn't
work in Windows XP SP2).
More info:
http://support.microsoft.com/default.aspx?scid=kb;en-us;324270
Marcio Vieira
Southeast Missouri State University
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of James Rankin
Sent: Tuesday, March 08, 2005 7:26 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: LAND attack vulnerability on Windows Server 2003 and
Windows XP
A LAND attack vulnerability has been highlighted in Windows
XP and Windows Server 2003 by Dejan Levaja
http://www.securityfocus.com/archive/1/392354
It was later highlighted by CA as a High risk
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32520
There has been no vendor response to this as yet. Initial
testing suggests it works with mixed results on 2003 and XP SP2.
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
