A LAND (Local Area Network Denial) attack is a DoS (Denial of Service) attack that consists of sending a special poison spoofed packet to a computer, causing it to lock up. The security flaw was actually first discovered in 1997 by someone using the alias "m3lt", and has resurfaced many years later in operating systems such as Windows Server 2003 and Windows XP SP2.
How it works?
The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. It is, however, distinct from theTCP SYN Flood vulnerability.
A LAND attack involves IP packets where the source and destination address are set to address the same device. This causes the machine to reply to itself continuously.
Other LAND attacks have since been found in services like SNMP and Windows 88/tcp (kerberos/global services). These were design flaws where the devices accepted requests on the wire appearing to be from themselves, causing repeated replies.
Below is a list of vulnerable operating systems (discovered by testing on various machines):
· AIX 3.0
· AmigaOS AmiTCP 4.2 (Kickstart 3.0)
· BeOS Preview release 2 PowerMac
· BSDi 2.0 and 2.1
· Digital VMS
· FreeBSD 2.2.5-RELEASE and 3.0 (Fixed after required updates)
· HP External JetDirect Print Servers
· IBM AS/400 OS7400 3.7
· Irix 5.2 and 5.3
· Mac OS MacTCP, 7.6.1 OpenTransport 1.1.2 and 8.0
· NetApp NFS server 4.1d and 4.3
· NetBSD 1.1 to 1.3 (Fixed after required updates)
· NeXTSTEP 3.0 and 3.1
· Novell 4.11
· OpenVMS 7.1 with UCX 4.1-7
· QNX 4.24
· Rhapsody Developer Release
· SCO OpenServer 5.0.2 SMP, 5.0.4
· SCO Unixware 2.1.1 and 2.1.2
· SunOS 4.1.3 and 4.1.4
· Windows 95, NT and XP SP2
How to avoid being attacked:
Most firewalls should intercept the poison packet thus protecting the host from this attack. Some operating systems released updates fixing this security hole. In addition, routers should be configured with both ingress and egress filters to block traffic where the source IP address is the same as the destination because they should block any source address within the same address space as the destination.