In the wake of the Pentium Bug a few weeks ago, yet another pesky critter has popped up with designs on crashing computers. But the Land Bug's modus operandi is not machine code inside a processor, á la the Pentium Bug. Rather, it's a more common type of attack that affects the networking stack inside an operating system, and can be easily addressed.
Posted by a user on the Bugtraq security mailing list Thursday, the new bug affects a host of operating systems, including Windows 95, Windows NT, Windows for Workgroups, Sun OS, several BSD Unix versions, and networked Macs. The bug can affect any vulnerable machine that is running an IP stack on a network, including Web servers. The bug also affects some Cisco routers, which could spell trouble for smaller ISPs that are not filtering packets going into their routers.
The Land Bug works by sending a spoofed packet with the SYN flag - used in a "handshake" between a client and a host - set from a host to any open port that is listening. If the packet is programmed to have the same destination and source IP address, when it is sent to a machine - via IP spoofing, for instance - the transmission can fool the machine into thinking it's sending itself a message, which in turn causes a crash.
The Land Bug is another example of how a standard Internet protocol packet can be used to crash machines hooked into a network that uses TCP/IP along with standard networking protocols. In the past, attacks like "SYN flood" and "ping of death" have used similar tactics, and observers point out that many of these vulnerabilities are just waiting to be discovered.
Security consultant Mike Diamond believes that the bug has been around for a long time and stems from the code that has been used in most of the affected operating systems. "In all likelihood, the bug seems to have been propagated from BSD Net/3 [a version of Unix networking code], because this is where most vendors derive their networking code from."
With most systems, the Land Bug will completely crash the machine. But with others, it might cause a more benign lock-up, or cause an NT machine, for example, to crawl slowly to a halt. The main consequences are the loss of unsaved work or the corruption of a program. The worst-case scenario - and indeed, the usual scenario - would be a denial of service, which is accomplished by continually sending packets and jamming a network.
An attack can be prevented, however, by filtering packets coming in from the Internet through a gateway router. Disabling IP spoofing on routers is an additional measure that could help prevent the attack. Doing so would prevent a machine being taken down from outside the network, but it would still be vulnerable from inside the network.
After a user stumbled across the bug while hacking Windows 95, it was posted on the Bugtraq mailing list, which is administered by Elias Levy.
"This is the latest in a series of bugs in the networking code of operating systems," Levy said. "It is fairly dangerous for systems in general, but a well-managed network should not be affected by it. We should be seeing a patch from the vendors within the next couple of days. The idea is so simple, it's amazing that no one found it before."
