20 December 1997: Add news report on land.c author, just below, and CIAC
Bulletin on Denial-of-Service Attacks at the end of this document.

 Teenage hacker tells his side of land attack story 

 December 19, 1997


 Network World: Montreal It was "Meltman" who wrote Land Attack, the 
 denial-of-service attack code that has been blowing up routers, servers
 and desktop computers since it was posted on the Internet right before
 Thanksgiving. 

 Technicians at Cisco Systems, Inc., like many others in the network industry,
 have been busy coping with the fallout from Land Attack and would love to get
 their hands on the havoc-wreaking Meltman. But despite his ominous moniker, in
 reality Meltman is a 16-year-old Montreal high-school student named Hugo Breton.
 And though Breton does have regrets about releasing his land.c code to the public,
 he warned that there are bound to be more such bombshells until the network
 industry gets a lot smarter about security. 

 "Network equipment should not be vulnerable to something like Land Attack,'' said
 Breton, who also uses the moniker ``M3lt'' in some of the Usenet groups and chat
 rooms which form a kind of watering hole where hackers and security
 professionals uneasily coexist on the Internet. 

 Officially known as land.c code, Land Attack works by tricking the targeted
 machine into trying to set up a TCP session with itself. If the machine falls for this
 form of IP spoofing, it goes into a TCP closed loop and has to be physically
 rebooted. 

 A number of security experts, including Chris Klaus, chief technology officer at
 Internet Security Systems, Inc., agree there is no reason a machine would want to
 talk to itself like this. Systems should be designed to prevent such attacks. 

 Breton said that when he released Land Attack on the bugtraq Usenet group, he
 was only aware it would make Windows 95 computers hang up Windows 95. He
 even messaged Microsoft Corp. about it. 

 ``I can't even use land.c because my service provider in Canada, Videotron.net,
 prevents IP spoofing,'' Breton said. ``I admit releasing the bug into the public
 wasn't the most responsible thing to do. Land.c is spreading.'' 

 Indeed, it is being used to crash small hosts and as a weapon on Internet Relay
 Chat (IRC) channels. ``The IRC is like a shooting range,'' and people are using
 Land Attack to blow each other off ``in channel wars,'' he said. 

 Breton said he also now is being bombarded with a huge amount of ``hate mail and
 love mail. The hate mail is from systems administrators. They're calling me
 `stupid,' `dumb,' an `ass - - - -.' '' The love mail seems mainly to be from denizens
 of the Internet who have more destructive tendencies. 

 Breton said he decided to post land.c because he thought the information about the
 security vulnerability eventually would leak, and he wanted to take credit for the
 discovery. 

 In retrospect, Breton said maybe he should have gone to the newly formed
 Canadian Computer Emergency Response Team, an organization that, like its U.S.
 counterpart, tries to provide help in handling security incidents. 

 To Breton, the impact of Land Attack is clear in one way: ``Perhaps this made
 some people realize they can be the target of such attacks. Some people need to
 wake up; this kind of attack shouldn't even happen.'' 

 For Cisco, whose routers and switches were vulnerable to land.c, the learning
 process has been painful. 

 Mike Quinn, Cisco's director of customer assurance who heads a security SWAT
 team, said Cisco personnel worked around the clock through Thanksgiving to
 isolate the problem, test equipment and work on fixes. 

 Cisco sent e-mail alerts to its customers and provided details about the situation on
 its Web site, though a few mistakes in testing land.c caused Cisco to say some
 switches were not vulnerable. Cisco quickly corrected the misstatements. 

 Last week, Cisco had finished creating fixes for most of its product line.
 Fortunately, Cisco firewalls apparently are not vulnerable to Land Attack. 

 Network managers who want to obtain the router and switch fixes can get them
 through the Cisco Connection Online. 

----------

6 December 1997: Add 3 Dec 97 message on system vulnerabilities.

4 December 1997, Network World:

 Hackers Out for IP Blood with New Land Attack 

 The Internet underworld last week unsheathed a new weapon capable of knocking 
 out IP-based routers and servers, sending vendors scrambling to find ways to 
 safeguard their gear. 

 Land Attack, officially known as land.c program code, was posted on the Net by
 someone called "Meltman" and used last week in attacks on Cisco Systems, Inc.
 routers and Unix and Windows NT servers. Some of the targeted machines were
 slowed to a crawl, while others had to be rebooted. 

 Land Attack represents a new twist on the dreaded "TCP SYN flooding"
 denial-of-service attack in which a hacker ties up a port on a network device or
 causes it to crash by flooding it with unwanted synchronization (SYN) packets. 

 The SYN packets are used to establish network connections in a three- way
 synchronize-acknowledge (SYN-ACK) handshake needed to set up a Web, telnet,
 File Transfer Protocol or Simple Mail Transfer Protocol session. 

 But unlike TCP SYN flooding, Land Attack sends out just one sinister SYN packet
 in which the sending devices IP address has been swapped out for the IP address
 of the destination machine. When the destination machine tries to acknowledge
 receipt of the transmission, it ends up using its own address, which means it sends
 the message back to itself, resulting in a potentially fatal loopback condition. "If
 someone could find a way to use this Land Attack program to spread this across
 the Internet, it could cause major service disruptions," said Chris Klaus, chief
 technology officer at Internet Security Systems, Inc., whose software is aimed at
 detecting network-based intrusions and attacks. 

 After some quick testing with Land Attack, vendors rapidly issued a long and
 unofficial list of network gear determined to be vulnerable or "not vulnerable to
 anything ranging from 60-second slowdowns to total collapse." 

 While Proteon, Inc. network gear and Hewlett-Packard Co. Unix machines
 appeared on the clean list, the news was not as good for Cisco routers, which
 form the heart of the Internet. 

 Cisco, which received multiple reports that its routers were targeted, issued a
 general alert informing users that land.c can be used to launch denial-of-service
 attacks against Classic IOS software used on Cisco routers with product numbers
 greater than 1000. 

 It also listed software on its CGS/MGS/AGS+ and the CS-500 gear as vulnerable. 

 The company said the effect on the Cisco IOS/700 software used on Cisco 7xx
 routers "is more devastating than the Classic IOS software." But it went on to say
 that most customers use firewalls to separate 7xx routers from the Internet,
 minimizing the threat. 

 The company said the Cisco Catalyst 5000 LAN switches also are vulnerable, but
 they can be safeguarded by removing their IP addresses. This, however, has the
 effect of disabling remote management, Cisco noted. The company added that the
 Cisco PIX firewall "appears not to be affected." 

 As of press time, Cisco had issued patches for some, but not all, of its gear. It
 advised users to visit www.cisco.com for field alerts on Land Attack. 

 Microsoft Corp., whose Windows 95 and NT operating systems made the
 "vulnerable" list, downplayed the extent of the damage caused by Land Attack. 

 "We tested NT 4.0 with our Service Pak 3, and Land Attack just slows it down
 for 60 seconds and then resumes normal operations," said Karan Khanna, Microsoft
 product manager for NT. Microsoft planned to issue a patch by today. 

 Sun Microsystems, Inc., whose Solaris boxes generally were listed as not
 vulnerable, did get a vulnerable rating for SunOS 1.4 and SunOs 1.4. A Sun
 spokesman said the company was not aware of the security uproar surrounding
 Land Attack. 

----------

 4 December 1997, Business Wire:

 WheelGroup Announces Security Solution for Dangerous New Land and
 Teardrop Internet Attacks

 San Antonio -- WheelGroup Corporation has developed a solution to protect 
 networks from the recently publicized " Land" and "Teardrop" Internet attacks 
 by leveraging its best-of-breed NetRanger(a) intrusion detection system. Both 
 the Land and Teardrop attacks primarily target IP-based routers and servers, 
 including Unix and Windows NT servers. Both also can be classified as 
 "denial-of-service " attacks, which can temporarily disable key servers or 
 entire networks, and present a particularly onerous problem to e-commerce 
 sites, Internet Service Providers (ISPs), and other organizations which 
 depend on mission-critical networks. 

 WheelGroup's Countermeasures and Research group has identified and tested
 solutions to both of these new attacks using the company's flagship NetRanger
 intrusion detection and network security management system. As a result,
 WheelGroup is currently in the process of deploying the newly developed
 countermeasures to NetRanger systems at commercial and military customer sites
 worldwide. 

 Because NetRanger looks into the data stream of a network connection and
 analyzes the content and context of the individual packet payloads and headers, the
 system is able to analyze inbound and outbound data at an extremely high level of
 granularity, without significant effects on performance. Unlike traditional security
 systems, NetRanger can search for network misuse -- in real-time -- even within
 authorized activity, such as seemingly legitimate telnet or FTP sessions. When
 NetRanger detects unauthorized activity, like the inherent characteristics of Land
 and Teardrop attacks, it sends an alarm with details and analysis of the attack to a
 central management system. NetRanger can also quickly eliminate the attack
 several different ways, including dynamically reconfiguring the Access Control
 Lists (ACLs) on Cisco routers. This enables NetRanger to permanently block the
 attacker from accessing the network in the future. 

 "Much of the publicity regarding the Land attack has focused on its potential use
 against perimeter routers and key network servers. As a result, most
 network-intensive organizations and ISPs, in particular, may be concerned," said
 Dave King, WheelGroup's Vice President for Marketing. "Since NetRanger works
 in conjunction with a wide-range of network devices and can quickly stop these
 attacks, WheelGroup can provide a robust, effective security solution for the vast
 majority of the networking systems in the market." 

 About the attacks: 

 The Land attack -- named after a program "land.c," which implements it -- can
 cause a computer or network device to crash or lose service for a period of time.
 The attack, a derivative of "IP spoofing," involves sending a machine an Internet
 Protocol (IP) packet that claims to come from the destination machine itself.
 When the machine attempts to acknowledge the packet, it responds to itself and
 thereby sets up a continuous loop. This looping results in a packet storm that can
 cause the machine to crash or to suffer massive performance delays. 

 The Teardrop attack involves creating and sending IP packets that are fragmented
 in such a way as to exploit an arithmetic error in the software that reassembles
 packet fragments. By sending these malformed packets, the attacker causes an
 extremely large amount of data to be copied into memory that usually causes the
 machine to crash. 

 "New attacks are generated on a frequent basis," said Kevin Ziese, Director of
 Research and co-founder of WheelGroup Corporation. "By maintaining a constant
 watch on network activity and leveraging the dynamic updating capabilities of
 NetRanger, we are committed to ensuring our customer base has the ability to
 counter even the newest of threats." 

 More information about WheelGroup's security technology, professional services, 
 and strategic relationships may be obtained via the Internet at 
 http://www.wheelgroup.com . 

----------

Re: land.c

From           forcer@mynock.org (forcer)
Organization   UPM - United Penguins and Mynocks
Date           3 Dec 1997 20:54:40 GMT
Newsgroups     de.comp.os.linux.misc


On Wed, 03 Dec 1997 20:01:49 +0100, Oliver Wahlen
<oliver.wahlen@post.rwth-aachen.de> wrote:
>Hi,
>folgenden Artikel habe ich in einer Mailinglist gelesen. Mich wuerde mal
>interessieren, ob jemand land.c schonmal auf ein Linuxsystem losgelassen
>hat.
>Vielleicht kann jemand den Sourcecode mal hier posten (wenn er nicht zu
>gross ist). Ansonsten bitte ich um eine entsprechende email.
>
Source kannst du von mir haben, ist aber auch nicht sonderlich schwer,
wenn man C kann ;)
Ich poste den hier nicht, weil zu viele system da gefaerdet sind *g*
Oh, und linux schickt ein korrektes RST, und das wars, passieren tut nichts.

in einer mailing list habe ich aber mal eine "vulnerable"-list gesehen...
hier:
------------------------
This is the last "LAND" update. I will not post any more. This list is not
meant to be comprehensive nor accurate. For an accurate assestment of the
risk to your IP stack contact your vendor.

Cisco Field Notice: TCP Loopback Denial-of-Service Attack and Cisco Devices
http://www.cisco.com/warp/public/770/land-pub.shtml

Read "Network Ingress Filtering: Defeating Denial of Service Address Spoofing"
ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt

The survey says:

AIX 3                                   IS  vulnerable
AIX 3.2                                 NOT vulnerable
AIX 4                                   NOT vulnerable
AIX 4.1                                 NOT vulnerable
AIX 4.2.1                               NOT vulnerable
AmigaOS AmiTCP 4.0demo                  NOT vulnerable
AmigaOS AmiTCP 4.2 (Kickstart 3.0)      IS  vulnerable
AmigaOS Miami 2.0                       NOT vulnerable
AmigaOS Miami 2.1f                      NOT vulnerable
AmigaOS Miami 2.1p                      NOT vulnerable
AmigaOS Miami 2.92c                     NOT vulnerable
BeOS Preview Release 2 PowerMac         IS  vulnerable
BSDI 2.0                                IS  vulnerable
BSDI 2.1 (vanilla)                      IS  vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024)   NOT vulnerable
BSDI 3.0                                NOT vulnerable
DG/UX R4.12                             NOT vulnerable
Digital UNIX 3.2c                       NOT vulnerable
Digital UNIX 4.0                        NOT vulnerable
Digital VMS ???                         IS  vulnerable
FreeBSD 2.1.6-RELEASE                   NOT vulnerable
FreeBSD 2.2.2-RELEASE                   NOT vulnerable
FreeBSD 2.2.5-RELEASE                   IS  vulnerable
FreeBSD 2.2.5-STABLE                    IS  vulnerable (fixed)
FreeBSD 3.0-CURRENT                     IS  vulnerable (fixed)
HP External JetDirect Print Servers     IS  vulnerable
HP-UX 9.03                              NOT vulnerable
HP-UX 10.01                             NOT vulnerable
HP-UX 10.20                             NOT vulnerable
IBM AS/400 OS7400 3.7                   IS  vulnerable (100% CPU)
IRIX 5.2                                IS  vulnerable
IRIX 5.3                                IS  vulnerable
IRIX 6.2                                NOT vulnerable
IRIX 6.3                                NOT vulnerable
IRIX 6.4                                NOT vulnerable
Linux 1.2.13                            NOT vulnerable
Linux 2.1.65                            NOT vulnerable
Linux 2.0.30                            NOT vulnerable
Linux 2.0.32                            NOT vulnerable
MacOS MacTCP                            IS  vulnerable
MacOS OpenTransport 1.1.1               NOT vulnerable
MacOS 7.1p6                             NOT vulnerable
MacOS 7.5.1                             NOT vulnerable
MacOS 7.6.1 OpenTransport 1.1.2         IS  vulnerable (not a compleate lockup)
MacOS 8.0                               IS  vulnerable (TCP/IP stack crashed)
MVS OS390 1.3                           NOT vulnerable
NetApp NFS server 4.1d                  IS  vulnerable
NetApp NFS server 4.3                   IS  vulnerable
NetBSD 1.1                              IS  vulnerable
NetBSD 1.2                              IS  vulnerable
NetBSD 1.2a                             IS  vulnerable
NetBSD 1.2.1                            IS  vulnerable (fixed)
NetBSD 1.3_ALPHA                        IS  vulnerable (fixed)
NeXTSTEP 3.0                            IS  vulnerable
NeXTSTEp 3.1                            IS  vulnerable
Novell 4.11                             IS  vulnerable (100% CPU for 30 secs)
OpenBSD 2.1                             (conflicting reports)
OpenBSD 2.2                             NOT vulnerable
OpenVMS 7.1 with UCX 4.1-7              IS  vulnerable
OS/2 3.0                                NOT vulnerable
OS/2 4.0                                NOT vulnerable
QNX 4.24                                IS  vulnerable
Rhapsody Developer Release              IS  vulnerable
SCO OpenServer 5.0.2 SMP                IS  vulnerable
SCO OpenServer 5.0.4                    IS  vulnerable (kills networking)
SCO Unixware 2.1.1                      IS  vulnerable
SCO Unixware 2.1.2                      IS  vulnerable
Salaris 2.4                             NOT vulnerable
Solaris 2.5.1                           NOT vulnerable
Solaris 2.5.2                           NOT vulnerable
Solaris 2.6                             NOT vulnerable
SunOS 4.1.3                             IS  vulnerable
SunOS 4.1.4                             IS  vulnerable
Ultrix ???                              NOT vulnerable
Windows 95 (vanilla)                    IS  vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE     IS  vulnerable
Windows NT (vanilla)                    IS  vulnerable
Windows NT + SP3                        IS  vulnerable
Windows NT + SP3 + simptcp-fix          IS  vulnerable

Some misc stuff:

3Com Accessbuilder 600/700              NOT vulnerable
3Com LinkSwitch 1000                    NOT vulnerable
3Com OfficeConnect 500                  NOT vulnerable
3Com SuperStack II Switch 1000          IS  vulnerable
Adtran TSU Rack                         NOT vulnerable
Apple LaserWriter                       IS  vulnerable
Ascend 4000 5.0Ap20                     NOT vulnerable
Ascend Pipeline 50 rev 5.0Ai16          NOT vulnerable
Ascend Pipeline 50 rev 5.0Ap13          NOT vulnerable
BayNetworks MARLIN 1000 OS (0).3.024(R) NOT vulnerable
BinTec BIANCA/BRICK-XS 4.6.1 router     IS  vulnerable
Cisco Classic IOS < 10.3, early 10.3, 11.0, 11.1, and 11.2 IS vulnerable
Cisco IOS/700                           IS  vulnerable
Cisco Catalyst                          IS  vulnerable
Digital VT1200                          IS  vulnerable
Farallon Netopia PN440                  NOT vulnerable
HP Envizex Terminal                     IS  vulnerable
LaserJet Printer                        NOT vulnerable
Livingston Office Router (ISDN)         IS  vulnerable
Livingston PM ComOS 3.3.3               NOT vulnerable
Livingston PM ComOS 3.5b17 + 3.7.2      NOT vulnerable
Livingston PM ComOS 3.7L                NOT vulnerable
Livingston PM ComOS 3.7.2               NOT vulnerable
Livingston Enterprise PM 3.4 2L         NOT vulnerable
Livingston T1/E1 OR                     IS  vulnerable
Milkyway Blackhole Firewall 3.0 (SunOS) IS  vulnerable
Milkyway Blackhole Firewall 3.02(SunOS) IS  vulnerable
NCD X Terminals, NCDWare v3.1.0         IS  vulnerable
NCD X Terminals, NCDWare v3.2.1         IS  vulnerable
Netopia PN440 v2.0.1                    IS  vulnerable
Proteon GT60                            NOT vulnerable
Proteon GT60Secure                      NOT vulnerable
Proteon GT70                            NOT vulnerable
Proteon GT70Secure                      NOT vulnerable
Proteon GTAM                            NOT vulnerable
Proteon GTX250                          NOT vulnerable
Proteon RBX250                          NOT vulnerable
Sonix Arpeggio                          NOT vulnerable
Sonix Arpeggio +                        NOT vulnerable
Sonix Arpeggio Lite                     NOT vulnerable

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

        -forcer

-- 
/* Software is like sex; it's better when it's free - Linus Torvalds      */
/* email:  forcer@mindless.com.nospam   www: http://www.forcer.base.org/  */
/* IRC: forcer (IRCnet #StarWars)       pgp: pub  2048/191585A9           */

-----------------------------------------------------------------------------

20 December 1997:

Date: Fri, 19 Dec 1997 13:50:56 -0800 (PST)
From: CIAC Mail User <ciac@tholia.llnl.gov>
To: ciac-bulletin@tholia.llnl.gov
Subject: CIAC Bulletin I-019:Tools Generating IP Denial-of-Service Attacks

[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----


             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                 Tools Generating IP Denial-of-Service Attacks

December 16, 1997 18:00 GMT                                       Number I-019
______________________________________________________________________________
PROBLEM:       Information has been received that two tools (Teardrop and
               Land) which exploit vulnerabilities in the TCP/IP protocol are
               being used to cause denial-of-service attacks.
PLATFORM:      Any platform using the TCP/IP protocol may be vulnerable. Check
               the vendor list included in this bulletin.
DAMAGE:        Use of these tools (Teardrop and Land) enable a remote user to
               launch a denial-of-service attack.
SOLUTION:      Apply either the patches or the workaround included in the
               bulletin.
VULNERABILITY  Attacks using these tools have been reported.
ASSESSMENT:

______________________________________________________________________________
CIAC IS AWARE OF THE DISCUSSION ON BUGTRAQ REGARDING LINUX AND THIS
VULNERABILITY.  WE HAVE CHOSEN TO SEND THIS ADVISORY AS DISTRIBUTED.
IT WILL BE UPDATED IF ANY OF THE ENCLOSED INFORMATION CHANGES.
______________________________________________________________________________

[ Start of CERT/CC Advisory ]
- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-97.28
Original issue date: Dec. 16, 1997

Last revised: December 16, 1997 - Added vendor information for Digital
              Equipment Corporation and Hewlett-Packard.

              A complete revision history is at the end of this file.

Topic:  IP Denial-of-Service Attacks
- - ----------------------------------------------------------------------------
- -

The CERT Coordination Center has received reports of two attack tools
(Teardrop and Land) that are being used to exploit two vulnerabilities in the
TCP/IP protocol. Both tools enable a remote user to cause a denial of service.

The CERT/CC team recommends installing patches from your vendor. Until you are
able to do so, we urge you to use the workaround described in Section
III.B. to reduce the likelihood of a successful attack using Land. There is
no workaround for Teardrop.

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your
site.

- - ----------------------------------------------------------------------------
- -

I. Description

     In recent weeks there has been discussion on public mailing lists about
     two denial-of-service attack tools, Teardrop and Land. These attack tools
     have similar effects on some systems (namely, causing the victim machine
     to crash), but the tools exploit different vulnerabilities.

     The CERT Coordination Center has received several reports of sites being
     attacked by either one or both of these tools. It is important to note
     that it may be necessary for a system administrator to apply separate
     patches, if they exist, for each attack tool.

     Topic 1 - Teardrop

     Some implementations of the TCP/IP IP fragmentation re-assembly code do
     not properly handle overlapping IP fragments. Teardrop is a widely
     available attack tool that exploits this vulnerability.

     Topic 2 - Land

     Some implementations of TCP/IP are vulnerable to packets that are crafted
     in a particular way (a SYN packet in which the source address and port
     are the same as the destination--i.e., spoofed). Land is a widely
     available attack tool that exploits this vulnerability.

II.  Impact

     Topic 1 - Teardrop

     Any remote user can crash a vulnerable machine.


     Topic 2 - Land

     Any remote user that can send spoofed packets to a host can crash or
     "hang" that host.


III. Solution

     CERT/CC urges you to immediately apply vendor patches if they are
     available. You may have to apply different patches for each attack tool.

     You may want to use the workaround for Land, so please review
     both Sections A and B below.

    A. Consult your vendor

       Appendix A contains information from vendors who provided input for
       this advisory. We will update the appendix as we receive more
       information. If you do not see your vendor's name, the CERT/CC did not
       hear from that vendor. Please contact your vendor directly.

       It is important to note that you may have to apply different
       patches for each attack tool.

    B. Apply the following workaround (Land only)

       A workaround for the Land attack tool is to block IP-spoofed packets.
       This workaround does not apply to the Teardrop attack tool because the
       Teardrop attack does not rely on IP-spoofed packets.

       Attacks like those of the Land tool rely on the use of forged packets,
       that is, packets where the attacker deliberately falsifies the origin
       address. With the current IP protocol technology, it is impossible to
       eliminate IP-spoofed packets. However, you can reduce the likelihood of
       your site's networks being used to initiate forged packets by filtering
       outgoing packets that have a source address different from that of your
       internal network.

       Currently, the best method to reduce the number of IP-spoofed packets
       exiting your network is to install filtering on your routers that
       requires packets leaving your network to have a source address from
       your internal network. This type of filter prevents a source IP
       spoofing attack from your site by filtering all outgoing packets that
       contain a source address from a different network.

       A detailed description of this type of filtering is available in the
       Internet Draft "Network Ingress Filtering: Defeating Denial of Service
       Attacks which employ IP Source Address Spoofing" by Paul Ferguson of
       Cisco Systems, Inc. and Daniel Senie of Blazenet, Inc. Note that
       although this document is labeled as an IETF "working draft," the
       content is complete and it is being proposed as an Informational RFC.
       We recommend it to both Internet Service Providers and sites that
       manage their own routers.

       The document is currently available at

http://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.

Cisco Systems
=============

Topic 1 - Teardrop

No feedback.

Topic 2 - Land

IOS/7000 software, Catalyst 5xxx and 29xx LAN switches, BPX and IGX WAN
switches and AXIS shelf appear to be vulnerable.
PIX firewall and Centri firewall are not vulnerable.

For more information reference URL:
http://www.cisco.com/warp/public/770/land-pub.shtml


Digital Equipment Corporation
=============================

    This reported problem is not present for Digital's ULTRIX or
    Digital UNIX Operating Systems Software.
 

The FreeBSD Project
===================

Topic 1 - Teardrop

CSRG 4.4 is not vulnerable.

Topic 2 - Land

No feedback.


Hewlett-Packard Corporation
===========================

HP is vulnerable, patches in process. Watch for HP Security Bulletin
to be issued.


IBM Corporation
===============

Topic 1 - Teardrop

AIX is not vulnerable.

Topic 2 - Land

AIX is not vulnerable.


Microsoft Corporation
=====================

Topic 1 - Teardrop

Windows NT 4.0 with SP 3 and post SP 3 fixes applied and Windows 95
with the appropriate patch are not vulnerable.
Patch information is available at URL:
ftp://ftp.microsoft.com/bussys/winnt/kb/Q154/1/74.TXT

Topic 2 - Land

Windows NT 4.0 with the appropriate patch is not vulnerable.
Patch information is available at URL:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
hotfixes-postSP3/land-fix/Q165005.txt

Windows 95 without the WinSock 2.0 Update is not vulnerable.
Patch information is available at URL:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
hotfixes-postSP3/land-fix/Q177539.TXT


NCR Corporation
===============

Topic 1 - Teardrop

NCR TCP/IP implementation is not vulnerable.

Topic 2 - Land

No feedback.


The NetBSD Project
==================

Topic 1 - Teardrop

Versions 1.2 and above are not vulnerable.

Topic 2 - Land

No feedback.


Red Hat Software
================

Topic 1 - Teardrop

Linux is not vulnerable.

Topic 2 - Land

Linux is not vulnerable.

- - ---------------------------------------------------------------------------

The CERT Coordination Center thanks Paul Ferguson and Daniel Senie for
providing information on network ingress filtering.

- - ----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- - ----------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We
   can  support a shared DES key or PGP. Contact the CERT/CC for more
   information.

   Location of CERT PGP key
         ftp://ftp.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

   To be added to our mailing list for advisories and bulletins, send
   email to
        cert-advisory-request@cert.org
   In the subject line, type
        SUBSCRIBE  your-email-address

- - ---------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- - ---------------------------------------------------------------------------

This file: ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land
           http://www.cert.org
               click on "CERT Advisories"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Dec. 16, 1997 - Added vendor information for Digital Equipment
                Corporation and Hewlett-Packard.


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNJazr3VP+x0t4w7BAQGl6gP/SUYR7d5SBwsDdNN9Uk+V9e6qGdu/FPci
MmZfHozQHo7F3owbn+dlXxy+IHgZMMFUoyu8brI+zINjtqe/D2KHVwZ/7p2UsLWs
/hEquXNAwnuJLq4qlt0PhaXDTkKcD5I5mXrmAhHaq3+K6HKzZoQtWGMLzN/BFnIi
68OS89tN400=
=7vK0
- -----END PGP SIGNATURE-----
[End of CERT/CC Advisory]


