New twist on an old exploit
Nearly a decade after the disclosure of the exploit code for the original LAND attack, a remote variants of the attack have resurfaced (see Remote LanD Attack). One variant affects Microsoft W2K3 and XP SP2 when Windows Firewall is disabled (see CVE-2005-0688). Others appear to affect a wide range of consumer grade DSL/cable modems, broadband access routers, and even some enterprise entry-level firewalls, e.g., the kind you typically see used by businesses with T1 access circuits.
The original LAND attack sent a TCP SYN segment to an open port on the victim's host, setting both the source and destination address fields in the IP header to the victim's IP address (i.e., from 10.0.0.1:139 to 10.0.0.1:139). In 1997, this attack caused systems to crash, BSOD, or reboot. Justin Wray and friends discovered two variants to the remote LAND exploit that create denial of service conditions.
In the first case, an attacker sends a TCP segment with the Ack/Syn/Push/Urgent flags set. He sets the destination IP address to the external (public) IP address of a target cable modem or broadband router/firewall, and sets the source IP address to the *private* IP address assigned to target device. This attack causes the modem/access routers to fail in several ways (vendor dependent). The source address of many consumer grade broadband access devices is easily derived. Most such devices use the RFC 1918 reserved IP number 192.168.x.0/24 and set the router to 192.168.0.1, 192.168.1.1, ...
In the second case, the attacker again send a TCP segment with the Ack/Syn/Push/Urgent flags set, again setting the destination IP address to the external (public) IP address of a target cable modem or broadband router/firewall, but sets the source IP address to a broadcast address. This causes the hosts on the private network to flood the broadband access device with responses.
Both attacks can be performed using a packet composition utilities like hping2 (no special code required).
Strictly speaking, these attacks are different from a traditional LAND attack - the source and destination IP addresses aren't the same - but the addresses are assigned to the same host, and the attacks have similar impacts.
The Microsoft patches have been available for some time. Several vendor products require patching (find the list in the referenced URL). A workaround for firewalls and routers exploitable in this manner is to include an firewall rule or ACL that blocks all traffic arriving at the external interface with an internally assigned address (this should be Firewall 101 by now). But as Wray observes, if the modems are vulnerable, the traffic won't ever be delivered to the firewall/router.
I think this is an interesting exploit for several reasons. First, it illustrates how quickly one "generation" of programmers forget the lessons ,learned less than a decade ago, and emphasizes how desperately our industry needs to teach secure code techniques and invest more in quality assurance. Second, it is a unique example of an exploit that spans many classes of systems and operating systems. Third, it is an example of an attack that will probably succeed for a long time, since it exploits consumer grade technology, and as Wray observed in an email exchange, few consumers are savvy enough to perform a firmware upgrade on a network device, and many simply won't try. What a considerate pre-Christmas gift for broadband help desk operators.
Archived at http://www.securityskeptic.com/arc20051201.htm#BlogID481
by Dave Piscitello