Bug threatens Net software

A new bug cast across the Net could wreak havoc on unprotected systems that use certain software to handle communications based on IP, the dominant Web protocol.

3 min read
A new bug disseminated across the Net could wreak havoc on unprotected systems that use certain software to handle communications based on IP (Internet protocol), the dominant Web protocol.

The systems open to attack from the software code, called "land c" or "Land Attack," include desktops, servers, and internetworking devices running certain operating systems (OS). Among the popular packages sensitive to the hacker code are: versions of Microsoft Windows NT; versions of SunOS, the precursor to Solaris, from Sun Microsystems; and versions of IOS, the routing software for the hardware from Cisco Systems, as well as its switch-based software counterpart for the popular Catalyst line.

Microsoft will issue fixes for Windows NT Workstation and Server, as well as Windows 95, by this evening, all of which are vulnerable to the bug, according to the company. A bulletin from the company explaining the issue to customers also is available on Microsoft's security-focused site.

Land Attack reportedly can crash Windows 95 machines, but NT machines only experience slowdowns due to the code.

"Obviously, this isn't a Microsoft-only problem, it's a pretty big problem," said Jason Garms, a product manager at Microsoft.

An enhanced version of the "land c" code also has been posted on sites devoted to hacker-style software. The enhancement, called "latierra c," reportedly works better against specific Windows NT-based systems that have installed Microsoft's third service pack for the OS, though Microsoft executives said the patch would fix both types of attacks.

Cisco executives also said the code could wreak havoc on many of their customers if they are unprotected. "It is fairly disruptive to a company's business," the company's director of customer assurance Mike Quinn said.

Cisco's equipment, which is used on more than 80 percent of the Net, according to internal estimates, could be at risk if a router is placed outside a firewall or sits unprotected within an intranet, open to attacks from internal sources. A lab at Cisco worked through Thanksgiving Day to produce fixes for the company's full line of routing software.

The company encouraged all customers to download the fixes. "We deem it as something that should be done," Quinn said.

Quinn did say that it would be very unlikely that the code could bring down a portion of the Net, since the attack is a variation of "SYN" code released last year and not a brand new issue.

It should be noted that Land Attack also does not discriminate against just traditional computers. Network-attached printing devices, for example, also could be susceptible to the code.

Security expects cautioned that the wayward code, authored by someone calling themselves "Meltman," can be easily defused with appropriate monitoring tools. And only certain OS software is vulnerable to attack.

"We've seen things very similar to this, and we know how to protect this, mostly," said Ted Doty, program manager for Internet attacks and vulnerabilities for Internet Security Systems, an Atlanta, Georgia-based software company that also serves as a watchdog for many Net-based software attack tools.

The code essentially acts like typical "denial of service" hacker software code. An unprotected system can be the subject of an attack through a single "SYN" packet, which is used to open a connection to the desktop, server machine, or networking device the hacker wants to disable.

That packet deceives a computer using a "spoofing" mechanism that makes it appear that the packet is coming from the same system, therefore creating a loop that will eventually crash the machine.

The stray code can be spotted through installation of a packet filter at different interconnection points--including Net access junctures--on a network, according to security experts.

"We see a real division on this one," Doty said. "Either a computer system is very vulnerable or it's not vulnerable, even a little bit."

For example, version 3.0 of IBM's AIX flavor of Unix is reportedly vulnerable to the attack while later versions are not.

Doty urged customers to check with their respective vendor concerning Land Attack and whether there will be software patches forthcoming. Cisco, for one, has posted details of the bug and what customers can do to combat it in response. In some cases, the company said it would issue patches to fight the hacker code.

Doty said he had not heard of many systems crashing due to the Land Attack bug since the code was posted toward the end of last month. "Don't panic, take a logical, structured approach toward fixing it," Doty cautioned.