4 December 1997, Network World: Hackers Out for IP Blood with New Land Attack The Internet underworld last week unsheathed a new weapon capable of knocking out IP-based routers and servers, sending vendors scrambling to find ways to safeguard their gear. Land Attack, officially known as land.c program code, was posted on the Net by someone called "Meltman" and used last week in attacks on Cisco Systems, Inc. routers and Unix and Windows NT servers. Some of the targeted machines were slowed to a crawl, while others had to be rebooted. Land Attack represents a new twist on the dreaded "TCP SYN flooding" denial-of-service attack in which a hacker ties up a port on a network device or causes it to crash by flooding it with unwanted synchronization (SYN) packets. The SYN packets are used to establish network connections in a three- way synchronize-acknowledge (SYN-ACK) handshake needed to set up a Web, telnet, File Transfer Protocol or Simple Mail Transfer Protocol session. But unlike TCP SYN flooding, Land Attack sends out just one sinister SYN packet in which the sending devices IP address has been swapped out for the IP address of the destination machine. When the destination machine tries to acknowledge receipt of the transmission, it ends up using its own address, which means it sends the message back to itself, resulting in a potentially fatal loopback condition. ``If someone could find a way to use this Land Attack program to spread this across the Internet, it could cause major service disruptions, said Chris Klaus, chief technology officer at Internet Security Systems, Inc., whose software is aimed at detecting network-based intrusions and attacks. After some quick testing with Land Attack, vendors rapidly issued a long and unofficial list of network gear determined to be vulnerable or "not vulnerable to anything ranging from 60-second slowdowns to total collapse." While Proteon, Inc. network gear and Hewlett-Packard Co. Unix machines appeared on the clean list, the news was not as good for Cisco routers, which form the heart of the Internet. Cisco, which received multiple reports that its routers were targeted, issued a general alert informing users that land.c can be used to launch denial-of-service attacks against Classic IOS software used on Cisco routers with product numbers greater than 1000. It also listed software on its CGS/MGS/AGS+ and the CS-500 gear as vulnerable. The company said the effect on the Cisco IOS/700 software used on Cisco 7xx routers "is more devastating than the Classic IOS software." But it went on to say that most customers use firewalls to separate 7xx routers from the Internet, minimizing the threat. The company said the Cisco Catalyst 5000 LAN switches also are vulnerable, but they can be safeguarded by removing their IP addresses. This, however, has the effect of disabling remote management, Cisco noted. The company added that the Cisco PIX firewall "appears not to be affected." As of press time, Cisco had issued patches for some, but not all, of its gear. It advised users to visit www.cisco.com for field alerts on Land Attack. Microsoft Corp., whose Windows 95 and NT operating systems made the "vulnerable" list, downplayed the extent of the damage caused by Land Attack. "We tested NT 4.0 with our Service Pak 3, and Land Attack just slows it down for 60 seconds and then resumes normal operations," said Karan Khanna, Microsoft product manager for NT. Microsoft planned to issue a patch by today. Sun Microsystems, Inc., whose Solaris boxes generally were listed as not vulnerable, did get a vulnerable rating for SunOS 1.4 and SunOs 1.4. A Sun spokesman said the company was not aware of the security uproar surrounding Land Attack. ---------- 4 December 1997, Business Wire: WheelGroup Announces Security Solution for Dangerous New Land and Teardrop Internet Attacks San Antonio -- WheelGroup Corporation has developed a solution to protect networks from the recently publicized " Land" and "Teardrop" Internet attacks by leveraging its best-of-breed NetRanger(a) intrusion detection system. Both the Land and Teardrop attacks primarily target IP-based routers and servers, including Unix and Windows NT servers. Both also can be classified as "denial-of-service " attacks, which can temporarily disable key servers or entire networks, and present a particularly onerous problem to e-commerce sites, Internet Service Providers (ISPs), and other organizations which depend on mission-critical networks. WheelGroup's Countermeasures and Research group has identified and tested solutions to both of these new attacks using the company's flagship NetRanger intrusion detection and network security management system. As a result, WheelGroup is currently in the process of deploying the newly developed countermeasures to NetRanger systems at commercial and military customer sites worldwide. Because NetRanger looks into the data stream of a network connection and analyzes the content and context of the individual packet payloads and headers, the system is able to analyze inbound and outbound data at an extremely high level of granularity, without significant effects on performance. Unlike traditional security systems, NetRanger can search for network misuse -- in real-time -- even within authorized activity, such as seemingly legitimate telnet or FTP sessions. When NetRanger detects unauthorized activity, like the inherent characteristics of Land and Teardrop attacks, it sends an alarm with details and analysis of the attack to a central management system. NetRanger can also quickly eliminate the attack several different ways, including dynamically reconfiguring the Access Control Lists (ACLs) on Cisco routers. This enables NetRanger to permanently block the attacker from accessing the network in the future. "Much of the publicity regarding the Land attack has focused on its potential use against perimeter routers and key network servers. As a result, most network-intensive organizations and ISPs, in particular, may be concerned," said Dave King, WheelGroup's Vice President for Marketing. "Since NetRanger works in conjunction with a wide-range of network devices and can quickly stop these attacks, WheelGroup can provide a robust, effective security solution for the vast majority of the networking systems in the market." About the attacks: The Land attack -- named after a program "land.c," which implements it -- can cause a computer or network device to crash or lose service for a period of time. The attack, a derivative of "IP spoofing," involves sending a machine an Internet Protocol (IP) packet that claims to come from the destination machine itself. When the machine attempts to acknowledge the packet, it responds to itself and thereby sets up a continuous loop. This looping results in a packet storm that can cause the machine to crash or to suffer massive performance delays. The Teardrop attack involves creating and sending IP packets that are fragmented in such a way as to exploit an arithmetic error in the software that reassembles packet fragments. By sending these malformed packets, the attacker causes an extremely large amount of data to be copied into memory that usually causes the machine to crash. "New attacks are generated on a frequent basis," said Kevin Ziese, Director of Research and co-founder of WheelGroup Corporation. "By maintaining a constant watch on network activity and leveraging the dynamic updating capabilities of NetRanger, we are committed to ensuring our customer base has the ability to counter even the newest of threats." More information about WheelGroup's security technology, professional services, and strategic relationships may be obtained via the Internet at http://www.wheelgroup.com . ----------