 4 December 1997, Network World:

 Hackers Out for IP Blood with New Land Attack 

 The Internet underworld last week unsheathed a new weapon capable of knocking 
 out IP-based routers and servers, sending vendors scrambling to find ways to 
 safeguard their gear. 

 Land Attack, officially known as land.c program code, was posted on the Net by
 someone called "Meltman" and used last week in attacks on Cisco Systems, Inc.
 routers and Unix and Windows NT servers. Some of the targeted machines were
 slowed to a crawl, while others had to be rebooted. 

 Land Attack represents a new twist on the dreaded "TCP SYN flooding"
 denial-of-service attack in which a hacker ties up a port on a network device or
 causes it to crash by flooding it with unwanted synchronization (SYN) packets. 

 The SYN packets are used to establish network connections in a three- way
 synchronize-acknowledge (SYN-ACK) handshake needed to set up a Web, telnet,
 File Transfer Protocol or Simple Mail Transfer Protocol session. 

 But unlike TCP SYN flooding, Land Attack sends out just one sinister SYN packet
 in which the sending devices IP address has been swapped out for the IP address
 of the destination machine. When the destination machine tries to acknowledge
 receipt of the transmission, it ends up using its own address, which means it sends
 the message back to itself, resulting in a potentially fatal loopback condition. ``If
 someone could find a way to use this Land Attack program to spread this across
 the Internet, it could cause major service disruptions, said Chris Klaus, chief
 technology officer at Internet Security Systems, Inc., whose software is aimed at
 detecting network-based intrusions and attacks. 

 After some quick testing with Land Attack, vendors rapidly issued a long and
 unofficial list of network gear determined to be vulnerable or "not vulnerable to
 anything ranging from 60-second slowdowns to total collapse." 

 While Proteon, Inc. network gear and Hewlett-Packard Co. Unix machines
 appeared on the clean list, the news was not as good for Cisco routers, which
 form the heart of the Internet. 

 Cisco, which received multiple reports that its routers were targeted, issued a
 general alert informing users that land.c can be used to launch denial-of-service
 attacks against Classic IOS software used on Cisco routers with product numbers
 greater than 1000. 

 It also listed software on its CGS/MGS/AGS+ and the CS-500 gear as vulnerable. 

 The company said the effect on the Cisco IOS/700 software used on Cisco 7xx
 routers "is more devastating than the Classic IOS software." But it went on to say
 that most customers use firewalls to separate 7xx routers from the Internet,
 minimizing the threat. 

 The company said the Cisco Catalyst 5000 LAN switches also are vulnerable, but
 they can be safeguarded by removing their IP addresses. This, however, has the
 effect of disabling remote management, Cisco noted. The company added that the
 Cisco PIX firewall "appears not to be affected." 

 As of press time, Cisco had issued patches for some, but not all, of its gear. It
 advised users to visit www.cisco.com for field alerts on Land Attack. 

 Microsoft Corp., whose Windows 95 and NT operating systems made the
 "vulnerable" list, downplayed the extent of the damage caused by Land Attack. 

 "We tested NT 4.0 with our Service Pak 3, and Land Attack just slows it down
 for 60 seconds and then resumes normal operations," said Karan Khanna, Microsoft
 product manager for NT. Microsoft planned to issue a patch by today. 

 Sun Microsystems, Inc., whose Solaris boxes generally were listed as not
 vulnerable, did get a vulnerable rating for SunOS 1.4 and SunOs 1.4. A Sun
 spokesman said the company was not aware of the security uproar surrounding
 Land Attack. 

----------

 4 December 1997, Business Wire:

 WheelGroup Announces Security Solution for Dangerous New Land and
 Teardrop Internet Attacks

 San Antonio -- WheelGroup Corporation has developed a solution to protect 
 networks from the recently publicized " Land" and "Teardrop" Internet attacks 
 by leveraging its best-of-breed NetRanger(a) intrusion detection system. Both 
 the Land and Teardrop attacks primarily target IP-based routers and servers, 
 including Unix and Windows NT servers. Both also can be classified as 
 "denial-of-service " attacks, which can temporarily disable key servers or 
 entire networks, and present a particularly onerous problem to e-commerce 
 sites, Internet Service Providers (ISPs), and other organizations which 
 depend on mission-critical networks. 

 WheelGroup's Countermeasures and Research group has identified and tested
 solutions to both of these new attacks using the company's flagship NetRanger
 intrusion detection and network security management system. As a result,
 WheelGroup is currently in the process of deploying the newly developed
 countermeasures to NetRanger systems at commercial and military customer sites
 worldwide. 

 Because NetRanger looks into the data stream of a network connection and
 analyzes the content and context of the individual packet payloads and headers, the
 system is able to analyze inbound and outbound data at an extremely high level of
 granularity, without significant effects on performance. Unlike traditional security
 systems, NetRanger can search for network misuse -- in real-time -- even within
 authorized activity, such as seemingly legitimate telnet or FTP sessions. When
 NetRanger detects unauthorized activity, like the inherent characteristics of Land
 and Teardrop attacks, it sends an alarm with details and analysis of the attack to a
 central management system. NetRanger can also quickly eliminate the attack
 several different ways, including dynamically reconfiguring the Access Control
 Lists (ACLs) on Cisco routers. This enables NetRanger to permanently block the
 attacker from accessing the network in the future. 

 "Much of the publicity regarding the Land attack has focused on its potential use
 against perimeter routers and key network servers. As a result, most
 network-intensive organizations and ISPs, in particular, may be concerned," said
 Dave King, WheelGroup's Vice President for Marketing. "Since NetRanger works
 in conjunction with a wide-range of network devices and can quickly stop these
 attacks, WheelGroup can provide a robust, effective security solution for the vast
 majority of the networking systems in the market." 

 About the attacks: 

 The Land attack -- named after a program "land.c," which implements it -- can
 cause a computer or network device to crash or lose service for a period of time.
 The attack, a derivative of "IP spoofing," involves sending a machine an Internet
 Protocol (IP) packet that claims to come from the destination machine itself.
 When the machine attempts to acknowledge the packet, it responds to itself and
 thereby sets up a continuous loop. This looping results in a packet storm that can
 cause the machine to crash or to suffer massive performance delays. 

 The Teardrop attack involves creating and sending IP packets that are fragmented
 in such a way as to exploit an arithmetic error in the software that reassembles
 packet fragments. By sending these malformed packets, the attacker causes an
 extremely large amount of data to be copied into memory that usually causes the
 machine to crash. 

 "New attacks are generated on a frequent basis," said Kevin Ziese, Director of
 Research and co-founder of WheelGroup Corporation. "By maintaining a constant
 watch on network activity and leveraging the dynamic updating capabilities of
 NetRanger, we are committed to ensuring our customer base has the ability to
 counter even the newest of threats." 

 More information about WheelGroup's security technology, professional services, 
 and strategic relationships may be obtained via the Internet at 
 http://www.wheelgroup.com . 

----------

