FW: Field Notice: TCP loopback DoS Attack (land.c) and Cisco Devices

  • Subject: FW: Field Notice: TCP loopback DoS Attack (land.c) and Cisco Devices
  • From: Barry Raveendran Greene <bgreene at cisco dot com>
  • Date: Sun, 23 Nov 1997 13:49:22 +0800
  • Organization: Cisco Systems - Corporate Consulting Group
  • Reply-to: "bgreene@cisco.com" <bgreene@cisco.com>
  • Sender: owner-apops@apnic.net
    • [Note: People started to post the source and characteristics of this attack 
      publicly on NANOG. So the source is now outside of the underground hackers 
      community to the entire Internet operations community. Hence, Cisco is 
      posting this to all the ISP Operations lists.]
      Hello All,
      Another nasty piece of DoS (Denial of Service) code. As you can see below, 
      we're working on in Cisco, but check with ALL your other equipment and 
      software vendors (networking, security, workstation, clients, etc.).
      As stated below, anti-spoofing filters on the ISPs border routers can 
      minimize risk. If you do not have anti-spoofing filters in place, please 
      E-mail me privately and I can help (it is strongly advised to have 
      anti-spoofing filters in place). Also, it is strongly encouraged that ISPs 
      place ingress filters on their network to prevent your customers from being 
      one of the problems on the Internet. I can also help ISPs to get ingress 
      filters designed into their architecture.
      -----Original Message-----
      From:	John Bashinski [SMTP:jbash at cisco dot com]
      Sent:	Saturday, November 22, 1997 6:38 AM
      To:	bugtraq at netspace dot org; cisco at spot dot colorado dot edu; first-teams at first dot org; 
      nanog at merit dot edu
      Cc:	psirt at cisco dot com; psiac at cisco dot com; sales at cisco dot com; sales-eng at cisco dot com; 
      ce-group at cisco dot com; field-alert-ext at cisco dot com
      Subject:	Field Notice: TCP loopback DoS Attack (land.c) and Cisco Devices
      Field Notice:
      TCP loopback DoS Attack (land.c) and Cisco Devices
      November 21, 1997, 14:00 AM US/Pacific, Revision 1
      - --------------------------------------------------
      - -----
      Somebody has released a program, known as land.c, which  can be used to
      launch denial of service attacks against various TCP implementations. The
      program sends a TCP SYN packet (a connection initiation), giving the target
      host's address as both source and destination, and using the same port on
      the target host as both source and destination.
      Classic IOS software (used on Cisco routers with product numbers greater
      than 1000, on the CGS/MGS/AGS+,  and on the CS-500) is moderately vulnerable
      to this attack.  For some IOS versions, if the attack is launched against a
      TCP port that is actually listening (say the TELNET port), then invalid
      connection data will be created, preventing further legitimate connections
      for approximately 30 seconds. High CPU loads may result on some IOS
      versions. We observed a complete hang on one 11.5 system, but have been
      unable to reproduce that failure. Based on very preliminary data, the
      router's packet forwarding functions are not generally affected.
      IOS/700 (used on Cisco 7xx routers) is also vulnerable. The  7xx
      vulnerability is more devastating than the classic IOS vulnerability, but
      probably less dangerous for most customers, since firewalls separate most
      7xx routers from the Internet.
      The PIX firewall appears does not appear to be affected. Initial testing of
      the Centri firewall tends to indicate that it is not affected.
      We're working on characterizing other products' vulnerability to attack.
      Updates will be issued as information becomes available.
      Who is Affected
      - -------------
      All IOS and IOS/700 systems that can be reached via TCP from untrusted hosts
      are affected, provided that the reachable TCP ports are ports on which IOS
      ordinarily provides service. The attack requires spoofing the targets's own
      address, so systems behind effective anti-spoofing firewalls are safe.
      - ----
      Classic IOS systems may experience slowdowns while under active attack. On
      IOS software versions earlier than 11.2(4), new TCP connections will fail
      for a period of about 30 seconds after any attack packet is received. IOS
      versions later than 11.2(4), or that contain the fix for bug ID CSCdi87533,
      may experience slowdowns, but should continue to accept new TCP connections
      . Most IOS versions appear to recover completely within a few minutes of the
      attack stopping, but we have not yet fully characterized the effect on all
      IOS versions. One complete failure was observed; the version was 11.1(5).  A
      configuration workaround for classic IOS can prevent the problem entirely,
      subject to performance restrictions.
      IOS/700 systems subjected to the attack will hang indefinitely and must be
      physically reset.  A configuration workaround for IOS/700 can prevent the
      problem entirely.
      Initial tests indicate that the PIX firewall is not vulnerable to this
      attack. Tests have been conducted with version and 4.0.7.
      Initial tests indicate that the Centri  firewall  (build 4.110) is not
      vulnerable to this attack with no exposed service configured. We have not
      yet tested the Centri product with exposed services.
      Workaround for Classic IOS
      - ------------------------
      Classic IOS users can use input access lists on their interfaces to prevent
      the attack packets from entering their TCP stacks. This will prevent the
      attack entirely, but may have unacceptable performance impacts on heavily
      loaded high-end routers. Traffic will still be fast-switched, but
      higher-speed switching modes may be disabled. It should be tried with care.
      If you have no existing input access lists, create a new IP extended access
      list. Use a presently-unused number between 100 and 199. The access list
      must have an entry for each of  the IP address configured on the system.
      Deny packets from each address to itself.  For example:
          access-list 101 deny tcp
          access-list 101 deny tcp
          access-list 101 permit ip
      If you have existing access lists, you'll need to merge the new entries in
      an appropriate way, generally at the top of the list. The access list should
      be applied incoming on all interfaces, so a fragment of a total router
      configuration might look like this:
          interface ethernet 0
          ip address
          ip access-group 101 in
          interface ethernet 1
          ip address
          ip access-group 101 in
          access-list 101 deny tcp
          access-list 101 deny tcp
          access-list 101 permit ip
      Workaround for IOS/700
      - --------------------
      Add the following configuration command to any profile that may be active
      when connected to potentially hostile network:
      set ip filter tcp in source <7xx IP address> destination <7xx IP address> 
      Using Cisco Products to Protect Other Systems
      - -------------------------------------------
      We do not believe that this attack can be used against systems behind our
      dedicated firewall products, the PIX and Centri firewalls, unless
      general-purpose tunnels have been enabled through the firewalls.
      Properly designed anti-spoofing access lists at border routers can be used
      to prevent the attack from entering a private network from the Internet. Use
      the access lists to filter out packets whose IP source addresses are on your
      internal net, but which are arriving from interfaces connected to the
      outside Internet.
      Exploitation and Public Announcements
      - -----------------------------------
      Cisco has had multiple reports of this vulnerability.
      Most exploitation seems to be using the original program, which sends one
      packet at a time. Floods of invalid packets have not been reported.
      This issue has been widely discussed in a variety of Internet fora.
      Cisco first heard of this problem on the morning of Friday, November 21.
      Distribution of this Notice
      - -------------------------
      This notice is being sent to the following Internet mailing lists and
         * cisco at spot dot colorado dot edu
         * comp.dcom.sys.cisco
         * bugtraq at netspace dot org
         * first-teams at first dot org (includes CERT/CC)
         * nanog at merit dot edu
      Updates will be sent to some or all of these, as appropriate.
      This notice will be posted in the "Field Notices" section of Cisco's
      Worldwide Web site, which can be found under "Technical Tips" in the
      "Service and Support" section. The URL will be
      The copy on the Worldwide Web will be updated as appropriate.
      Cisco Security Procedures
      - -----------------------
      Please report security issues with Cisco products to
      security-alert at cisco dot com.
      This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
      redistributed freely provided that redistributed copies are complete and
      unmodified, including all date and version information.
      -----BEGIN PGP SIGNATURE-----
      Version: PGP for Personal Privacy 5.0
      Charset: noconv
      -----END PGP SIGNATURE-----
      To unsubscribe: send "unsubscribe" to apops-request at apnic dot net