Old-School DoS Attack Can Penetrate XP SP2

Microsoft's newest operating systems can be penetrated by a denial-of-service attack that dates back to 1997. Redmond downplays the threat to customers.

Microsoft Corp.s newest operating systems can be penetrated by an old-school-type denial-of-service attack, according to a warning from a security researcher.

In a SecurityFocus advisory, researcher Dejan Levaja warned that Windows Server 2003 and XP Service Pack 2 (with Windows Firewall turned off) could lead to LAND attacks.

A LAND attack is a remote denial-of-service condition caused by sending a packet to a machine with the source host/port the same as the destination host/port. The LAND attack scenario was discussed in 1997 by Carnegie Mellons CERT Coordination Center.

Using widely available reverse-engineering tools, Levaja found that a single LAND packet sent to a file server could cause Windows Explorer to freeze on all workstations connected to that server. "CPU on server goes 100% [and] network monitor on the victim server sometimes can not even sniff malicious packet," Levaja warned.

He said the script could be replayed endlessly to cause a total collapse of the network.

A spokeswoman for Microsoft confirmed Levajas findings but downplayed the risk to customers.

"Our initial investigation has revealed that this reported vulnerability cannot be used by an attacker to run malicious software on a computer. At this point, our analysis indicates the impact of a successful attack would be to cause the computer to perform sluggishly for a short period of time," the spokeswoman said in a statement sent to eWEEK.com.


For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

She said customers running the Windows Firewall, enabled by default on Windows XP SP2, are not impacted by this issue. Microsoft suggests that customers adopt TCP/IP hardening practices to protect against denial-of-service attacks.

In the absence of a patch from Microsoft, security research outfit Secunia recommends that affected users filter traffic with the same IP address as source and destination address.


Check out eWEEK.coms for the latest security news, reviews and analysis.