Denial-of-service glitch could threaten Windows

Security researchers have published details of a denial-of-service vulnerability that could enable hackers to attack Microsoft Windows and spin computers into senseless processing loops.

Posting to the SecurityFocus industry forum site late Monday, an individual identified only as Dejan Levaja first described how the threat, known technically as a LAND attack for the type of code that triggers it, could affect Windows users by needlessly occupying their computers' processing power.

Using such an approach, an individual typically sends a packet of data to a Windows machine using a command that features the same source host and destination host information, thereby sending the computer running in circles.

Despite admitting that the potential for LAND attacks is real, Microsoft downplayed the impact of the vulnerability's exploitation, saying such an effort would only slow a Windows computer, not force it to crash. The company said the attacks can be largely avoided by merely employing the firewall tools it includes with its Windows operating system.

"Our initial investigation has revealed that this reported vulnerability cannot be used by an attacker to run malicious software on a computer," Microsoft said in a statement. "At this point, our analysis indicates the impact of a successful attack would be to cause the computer to perform sluggishly for a short period of time."

At least one researcher says Microsoft's claim appears to ring true. Jason Lam, an incident handler at the SANS Internet Storm Center, said existing attacks have not been able to take down computers entirely.

"We have not seen crashes," Lam said. "So far, we have seen the Windows OS do a local loop. The victim's machine is seeing packets from itself, so it is freaking out and doesn't know what to do, and it is using up a lot of resources trying to figure out what is going on."

Such threats are nothing new. Lam pointed out that LAND attacks first appeared as early as 1997 and have resurfaced for some unknown reason.

"This is old, and somehow, it just reappeared again," he said. "Same attack, same strategy."

Security watchdogs at Secunia said software bugs such as the one which allows for the LAND attacks are caused by improper handling of IP packets with the same destination and source IP, which causes a system to consume all available CPU resources.

"It's kind of serious if you have some systems that aren't firewalled," said Thomas Kristensen, Secunia's chief technology officer. "Proper filtering would stop this. But some people don't have a firewall on their systems. They are certainly at an increased risk."

Kristensen said that in some extreme cases, a LAND attack could indeed bring an infected machine to its knees.

"The system is not able to process this," he said. "It could bring (a computer) to a complete halt. You need special tools to do this, but it's easy to do."

[bobby_brady]

The headline is inappropriate

This isn't anything new, yet the headline leads you to believe otherwise.

[folsco]

Irrelevant Heading

Indeed, not relevant.
Think it's something very new.
That cannot be referred to as a flaw.

[Prndll]

misleading......

Not only is this nothing new, it is also a method.

If you visit a properly coded webpage (could be "any" page), a users resources can become so overwhelmed that a complete system restart becomes the only solution. In some cases, the system will blue-screen or lock-up, forcing a system reboot. This really isn't that big of a deal. The real problem is that with a system reboot, the registry re-initializes. This means that any program acquired from the website could be fully installed.

You goto a website, with a matter of milliseconds, the site downloads a program into your system. The site is coded in such a way, that a popup comes up and it is that popup that is coded to use up all your systems resources....producing a lockup or bluescreen. Not being able to do anything else, you do a hard reboot. Then the initial program gets completely installed.

All because you went to the wrong site. It could be "any" site. Not just a porn site. It could even be Microsofts website if it gets hacked. Just think about what that could mean for the Windows Update process.

Just something to think about........

[catchall]

What?

Try this. Change your taskbar. Add a toolbar, remove a tool bar. Then crash your system(MAKE SURE THAT EVERYTHING IS SAVED AND BACKED UP) Do so by pressing the power key and holding until the system shuts down. On restart, you will note changes hae not been saved. The registry ( for the most part ) is saved on shutdown. Crash the system, good by changes.

Now, back to your example. On any system. if you download a program, it will run in the user context of you. Mac, Linux, Windows, any of them. If you download it (from any site, imagine Apple's update site getting hacked) your pretty much screwed.

As you said, 'Just something to think about........'

[aabcdefghij987654321]

What article did you read?

What's all this noise about going to web pages and having software installed on your system? Where on earth did you find that in the article? This particular problem isn't anything like what you described.

This article is about a particular type of malformed packet being sent over the network to a target computer. It's utility in an attack is that the attacked machine can be kept so busy that it cannot perform the work it's intended to do, but only as long as you have an attacking machine sending those malformed packets.

The article isn't that clear about how such an attack would be used but there no way it came even close to what you're describing.

[Andrew J Glina]

Strewth!

You should be writing movies!

[John Kuzak]

blue-screen or lock-up

http://www.analogstereo.com/citroen_synergie_owners_manual.htm

[Bill Dautrive]

" ..have resurfaced for some unknown reason."

I will bet dollars to donuts that the reason this surfaced again is due to the practice of finding 'workarounds'. They never really fixed it to begin with, just implemented a workaround, and something in the workaround was changed or broken by accident. So the issue pops up again, when it should have been fixed right the first time. Actually it should have been written correctly the first time.

It may not be this, just my bet.

[aabcdefghij987654321]

It is not

It's not a single issue (the article is a little misleading) as it is yet another case of finding another example of something that can cause a problem. This is just another example of a category of attacks where a malformed IP packet can cause the receiving computer to do something other (or in addition to) discarding the defective packet.

There were a number of these kinds of attacks found a few years ago, the effects ranged from complete system crashes to causing the receiving system to echo the malformed packets to some other destination (helping to hide the attacker from an ultimate target).

The real surprise here is that it's been so long since one of this form of attack has been found.

[wbenton]

The fix is easy... why haven't they done it?

All it requires is a modification to the IP Stack handling process.

The fix would be something like the following:

1. The NIC (Network Interface Card) receives a packet and forwards it up the OSI model from layer 1 to layer 2. Up to this point, only the MAC (Media Access Control) address is looked at.

2. Layer 2 then picks up and prepares to send the packet to the proper layer 3 depending on the network/protocol used. (In this case, TCP/IP is the protocol.)

3. Layer 3 looks at the IP address and further processes the packet accordingly.

It's here at Layer 3 where a simple source & destination could be compared and if both are the same... then trash the packet... otherwise process it as normal and forward it to Layer 4.

So why hasn't Microsoft done anything about it all this time?

I'd be interested in reading the answer to that in a future News column.

[Prndll]

This sounds familier.....

....sounds alot like a NAND logic gate controling a ground side switching transistor.