"LAND" Attack Update (fwd)

Joe Shaw jshaw at insync.net
Sat Nov 22 03:28:03 UTC 1997


>BugTraq has a note that version 10.3(7) is vunerable. I don't know which
>version of Cisco the IOS was running on.
>
>-- 
>Stan   | Academ Consulting Services        |internet: sob at academ.com
>Olan   | For more info on academ, see this |uucp:
>{mcsun|amdahl}!academ!sob
>Barber | URL- http://www.academ.com/academ |Opinions expressed are only
>mine.A

Here's the post from bugtraq that details which operating systems and what
hardware/software versions of Cisco IOS are vulnerable.  I'm wondering, is
SYN a TCP small service?  I could usually find this out for myself, but my
102 degree fever is making it hard to think.  

Back to bed with me,
Joe Shaw - jshaw at insync.net
NetAdmin - Insync Internet Services



---------- Forwarded message ----------
Date: Fri, 21 Nov 1997 13:22:22 -0600
From: Aleph One <aleph1 at dfw.net>
To: BUGTRAQ at NETSPACE.ORG
Subject: Re: "LAND" Attack Update

The latest update. It seems that not many versions of IOS are affected.
The symptoms can also be strange. It will stop accepting connection, then
after 30 seconds if may stop accepting processing ICMP echos, and after
that it stops forwarding packets. So if you perform the test wait a couple
of minutes and see if it still up before you come to any conclusions. Ivan
Ganev also reports that testing again port 23 alone would not kill the
router but testing againts the first 255 ports did.

>From the reports is seem to be the older revisions of IOS (10.X and 11.0)
in certain hardware configurations and the Cisco 700 Series ISDN access
routers (not running IOS) are vulnerable.

We keep getting conflicting reports for FreeBSD and OpenBSD. The are
enough reports and indications that those operating systems are indeed
vulnerable but the vulnerabilitiy may not show up in all configurations
depending on the enviroment, the intensity of cosmic rays, the phase of
the moon, and if the testing person is left or right handed.

An external "land" attack should not be an issue if you are filtering IP
address spoofing at your ingress routers. You _ARE_ doing so? Correct?
Well in case you forgot you can find Paul Ferguson's "Network Ingress
Filtering: Defeating Denial of Service Address Spoofing" Internet Draft at
ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt
I highly recommend you implement it's recommendations. Of curse you are
still at the mercy of those behind the filter.

The survey says:

AIX 3                                   IS  vulnerable
AIX 3.2                                 NOT vulnerable
AIX 4                                   NOT vulnerable
AIX 4.1                                 NOT vulnerable
BeOS Preview Release 2 PowerMac         IS  vulnerable
BSDI 2.1 (vanilla)                      IS  vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024)   NOT vulnerable
BSDI 3.0                                NOT vulnerable
DG/UX R4.12                             NOT vulnerable
Digital UNIX 4.0                        NOT vulnerable
FreeBSD 2.2.2-RELEASE                   (confilcting reports)
FreeBSD 2.2.5-RELEASE                   (conflicting reports)
FreeBSD 2.2.5-STABLE                    (conflicting reports)
FreeBSD 3.0-CURRENT                     IS  vulnerable
HP External JetDirect Print Servers     IS  vulnerable
HP-UX 10.20                             IS  vulnerable
IRIX 5.3                                IS  vulnerable
IRIX 6.2                                NOT vulnerable
IRIX 6.3                                NOT vulnerable
IRIX 6.4                                NOT vulnerable
Linux 2.0.30                            NOT vulnerable
Linux 2.0.32                            NOT vulnerable
MacOS 7.5.1                             NOT vulnerable
MacOS 8.0                               IS  vulnerable (TCP/IP stack
crashed)
MVS OS390 1.3                           NOT vulnerable
AIX 4.1                                 NOT vulnerable
NetApp NFS server 4.3                   IS  vulnerable
NetBSD 1.1                              IS  vulnerable
NetBSD 1.2                              IS  vulnerable
NetBSD 1.2a                             IS  vulnerable
NetBSD 1.2.1                            IS  vulnerable
NetBSD 1.3_ALPHA                        IS  vulnerable
NeXTSTEP 3.0                            IS  vulnerable
NeXTSTEp 3.1                            IS  vulnerable
Novell 4.11                             NOT vulnerable
OpenBSD 2.1                             (conflicting reports)
OS/2 3.0                                NOT vulnerable
QNX 4.24                                IS  vulnerable
OpenBSD 2.2 (Oct31)                     NOT vulnerable
SCO OpenServer 5.0.4                    NOT vulnerable
Salaris 2.4                             NOT vulnerable
Solaris 2.5.1                           NOT vulnerable
Solaris 2.6                             NOT vulnerable
SunOS 4.1.4                             IS  vulnerable
Ultrix ???                              NOT vulnerable
Windows 95 (vanilla)                    IS  vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE     IS  vulnerable
Windows NT (vanilla)                    IS  vulnerable
Windows NT + SP3                        IS  vulnerable
Windows NT + SP3 + simptcp-fix          IS  vulnerable

Some misc stuff:

3Com SuperStack II                      IS  vulnerable
Apple LaserWriter                       IS  vulnerable
Ascend 4000 5.0Ap20                     NOT vulnerable
Ascend Pipeline 50 rev 5.0Ai16          NOT vulnerable
Ascend Pipeline 50 rev 5.0Ap13          NOT vulnerable
BayNetworks MARLIN 1000 OS (0).3.024(R) NOT vulnerable
BinTec BIANCA/BRICK-XS 4.6.1 router     IS  vulnerable
Cisco IOS 10.3(7)                       IS  vulnerable
Cisco IOS 11.1(13)                      NOT vulnerable
Cisco 1003 IOS 11.0                     NOT vulnerable
Cisco 1005 IOS 11.0(4)                  NOT vulnerable
Cisco 1600 IOS 11.0(6) fc1              IS  vulnerable
Cisco 1601 IOS 11.1(8) AA               NOT vulnerable
Cisco 1601 IOS 11.1(10)AA               NOT vulnerable
Cisco 2500 IOS 11.0(9)                  NOT vulnerable
Cisco 2500 IOS 11.1(6) fc1              IS  vulnerable
Cisco 2500 IOS 11.1(10)                 NOT vulnerable
Cisco 2501 IOS 10.2                     IS  vulnerable
Cisco 2501 IOS 10.2(2)                  IS  vulnerable
Cisco 2501 IOS 10.(7)                   IS  vulnerable
Cisco 2501 IOS 11.1(9)                  NOT vulnerable
Cisco 2501 IOS 11.2(4)P                 NOT vulnerable
Cisco 2503 IOS 11.0(9)                  IS  vulnerable
Cisco 2509 IOS 11.1                     NOT vulnerable
Cisco 2511 IOS ???                      IS  vulnerable
Cisco 2511 IOS 10.3(4)                  NOT vulnerable
Cisco 2511 IOS 11.1(8)                  NOT vulnerable
Cisco 2511 IOS 11.2(4)                  NOT vulnerable
Cisco 2514 IOS 11.2(5)                  NOT vulnerable
Cisco 3102 IOS 9.X                      IS  vulnerable
Cisco 4000 IOS 11.0(7)                  NOT vulnerable
Cisco 4000 IOS 11.1(6)                  NOT vulnerable
Cisco 4000 IOS 11.2(4) fc1              NOT vulnerable
Cisco 4000 IOS 11.2(9)                  NOT vulnerable
Cisco 4500 IOS 10.13(15)                IS  vulnerable
Cisco 4500 IOS 11.2(9)                  NOT vulnerable
Cisco 4700M IOS 11.0(16)                NOT vulnerable
Cisco 7000 IOS 11.0(1)                  NOT vulnerable
Cisco 7000 IOS 11.0(16)                 NOT vulnerable
Cisco 7000 IOS 11.1(12)                 NOT vulnerable
Cisco 7000 IOS 11.2(8)                  NOT vulnerable
Cisco 7507 IOS 11.0(17)                 NOT vulnerable
Cisco 753 OS Release 4                  IS  vulnerable
Cisco 753 OS Release 4.0                IS  vulnerable
Cisco 754 OS Release 4.1                IS  vulnerable
Cisco 761 OS Release 4.0(1)             IS  vulnerable
Cisco Catalyst 5000                     IS  vulnerable
Digital VT1200                          IS  vulnerable
HP Envizex Terminal                     IS  vulnerable
LaserJet Printer                        NOT vulnerable
Livingston Office Router (ISDN)         IS  vulnerable
Livingston PM ComOS 3.3.3               NOT vulnerable
Livingston PM ComOS 3.5b17 + 3.7.2      NOT vulnerable
Livingston PM ComOS 3.7L                NOT vulnerable
Livingston Enterprise PM 3.4 2L         NOT vulnerable
Milkyway Firewall 3.02 (SunOS)          IS  vulnerable
NCD X Terminals, NCDWare v3.1.0         IS  vulnerable
NCD X Terminals, NCDWare v3.2.1         IS  vulnerable





More information about the NANOG mailing list