Brief Description: Sending a SYN packet to a host with the same source and destination address (including port) causes the system to hang
Detailed Description: Certain TCP/IP implementations are vulnerable to packets that have the same source and destination address (IP address and port number). The best known version is where a SYN packet has a source address and port the same as the destination.
Component(s): TCP/IP implementation
Operating System(s): Microsoft Windows 95 (verified)
Other Information: The system being attacked must be reachable using TCP/IP.
Effects:The system hangs.
Detecting the Vulnerability:
* Spoof a packet with the source and destination address of your system and send it to your system.
Fixing the Vulnerability:
* You need to patch the kernel. Contact your vendor asking for the right patch.
* Block IP-spoofed packets by filtering outgoing packets that have a source address different from that of your internal network. A detailed description of this type of filtering is available at: Ingress Filtering (http://ds.internic.net/internet-drafts.draft-ferguson-ingress-filtering-03.txt)
Attack Methods or Tools: Not provided.
Advisories and Other Alerts: CIAC Advisory I-36, "FreeBSD Denial-of-Service LAND Attacks" (3/16/98) (http:// ciac.llnl.gov/ciac/bulletins/i-036.shtml); CERT Advisory CA-97.28, "IP Denial-of-Service Attacks" (12/16/97) (http:/ /cert.org/cert/advisories/CA-97.28.html)
Related Vulnerabilities: none.
First Report We Know Of: by Meltman (meltman@LAGGED.NET), date Bugtraq mailing list, in Thu, 20 Nov 1997 19:40:19 -0500
Revisions of Database Record
1. Matt Bishop(June 10, 1998): Entered into Doves.