Minutes from Vulnerabilities meeting on 3 December 1997

Attendees: Matt Bishop, Karl Levitt, Peter Mell, Steven Samorodin, David O'Brien, Nik Joshi, Ricardo Anguiano

ADMINISTRATIVE NOTES

• Matt will have another version of the symbolic link paper for next time.
• The next meeting will be help on Tuesday, December 9th at 11am instead of our normal meeting time since Matt will be in San Diego next Wednesday.

ATTACKS

Synopsis of the LAND attack

Summary of Attack

The attack consists of sending a SYN packet with the same source and destination address and port to a machine. In other words linking up a service such as the chargen port to itself. This confuses many boxes and causes them to lock up as CPU utilization by the confused TCP stack skyrockets.

Questions:

• What exactly is the problem? Is sending a SYN packet with SrcAddr == DstAddr and SrcPort == DstPort legal within the specification of the TCP protocol.
• What about the 127.0.0.1 loopback, does the attack work with this as the address?
• Does the attack require a flood of SYN packets or simply a single SYN packet?
• Will sending an RST packet fix this problem? Also do you need to know the sequence number to send an RST packet?