Minutes from Vulnerabilities meeting on 3 December 1997
Attendees: Matt Bishop, Karl Levitt, Peter Mell, Steven Samorodin,
David O'Brien, Nik Joshi, Ricardo Anguiano
Matt will have another version of the symbolic link paper for next time.
The next meeting will be help on Tuesday, December 9th at 11am instead of
our normal meeting time since Matt will be in San Diego next Wednesday.
Synopsis of the LAND attack
A TCP packet is uniquely defined by the 5-tuple
< SrcAddr, SrcPort, DstAddr, DstPort, Protocol >
Summary of Attack
The attack consists of sending a SYN packet with the same source and
destination address and port to a machine. In other words linking up a
service such as the chargen port to itself. This confuses many boxes and
causes them to lock up as CPU utilization by the confused TCP stack
What exactly is the problem?
Is sending a SYN packet with SrcAddr == DstAddr and SrcPort == DstPort
legal within the specification of the TCP protocol.
What about the 127.0.0.1 loopback, does the attack work with this as the
Does the attack require a flood of SYN packets or simply a single SYN
Will sending an RST packet fix this problem? Also do you need to know
the sequence number to send an RST packet?
Steven Samorodin / 12-3-97