Denial-of-service glitch could threaten Windows

Well-known flaw in handling IP packets surfaces in Windows, but Microsoft denies that "LAND attacks" are serious threat.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
2 min read
Security researchers have published details of a denial-of-service vulnerability that could enable hackers to attack Microsoft Windows and spin computers into senseless processing loops.

Posting to the SecurityFocus industry forum site late Monday, an individual identified only as Dejan Levaja first described how the threat, known technically as a LAND attack for the type of code that triggers it, could affect Windows users by needlessly occupying their computers' processing power.

Using such an approach, an individual typically sends a packet of data to a Windows machine using a command that features the same source host and destination host information, thereby sending the computer running in circles.

Despite admitting that the potential for LAND attacks is real, Microsoft downplayed the impact of the vulnerability's exploitation, saying such an effort would only slow a Windows computer, not force it to crash. The company said the attacks can be largely avoided by merely employing the firewall tools it includes with its Windows operating system.

"Our initial investigation has revealed that this reported vulnerability cannot be used by an attacker to run malicious software on a computer," Microsoft said in a statement. "At this point, our analysis indicates the impact of a successful attack would be to cause the computer to perform sluggishly for a short period of time."

At least one researcher says Microsoft's claim appears to ring true. Jason Lam, an incident handler at the SANS Internet Storm Center, said existing attacks have not been able to take down computers entirely.

"We have not seen crashes," Lam said. "So far, we have seen the Windows OS do a local loop. The victim's machine is seeing packets from itself, so it is freaking out and doesn't know what to do, and it is using up a lot of resources trying to figure out what is going on."

Such threats are nothing new. Lam pointed out that LAND attacks first appeared as early as 1997 and have resurfaced for some unknown reason.

"This is old, and somehow, it just reappeared again," he said. "Same attack, same strategy."

Security watchdogs at Secunia said software bugs such as the one which allows for the LAND attacks are caused by improper handling of IP packets with the same destination and source IP, which causes a system to consume all available CPU resources.

"It's kind of serious if you have some systems that aren't firewalled," said Thomas Kristensen, Secunia's chief technology officer. "Proper filtering would stop this. But some people don't have a firewall on their systems. They are certainly at an increased risk."

Kristensen said that in some extreme cases, a LAND attack could indeed bring an infected machine to its knees.

"The system is not able to process this," he said. "It could bring (a computer) to a complete halt. You need special tools to do this, but it's easy to do."