A LAND (Local Area Network Denial) attack is a DDOS attack that involves sending a special poison spoofed packet to a device, which makes it lock up. It also known as a Same Source/Dest Flood. The victim receives fake TCP SYN packets at an extremely high rate that include the victim’s IP range in the source IP and destination IP fields in the IP header.
This kind of attack exhausts system resources by overwhelming the targeted firewalls and/or servers as they cannot keep up with the rate of packets, and instead the machine merely replies to itself continuously. The actual content of the packets is often not relevant as the attacker is merely aiming to deplete system resources.
The security flaw was first identified in 1997 by an anonymous computer user under the alias of “m3lt”. It has resurfaced several times since in various operating systems, including Windows Server 2003 and Windows XP SP2. LAND attacks have also been discovered in services such as SNMP and Window 88/tcp (kerberos/global services). These kinds of system have had design flaws that allowed the device to accept requests on the wire that seemed to be from themselves, leading to repeated replies.
Although a LAND attack also uses TCP to carry out the DDoS attack, a TCP Flood vulnerability is distinct.
Vulnerable operating systems include the following:
- AIX 3.0
- AmigaOS AmiTCP 4.2 (Kickstart 3.0)
- BeOS Preview release 2 PowerMac
- BSDi 2.0 and 2.1
- Digital VMS
- FreeBSD 2.2.5-RELEASE and 3.0 (Fixed after required updates)
- HP External JetDirect Print Servers
- IBM AS/400 OS7400 3.7
- Irix 5.2 and 5.3
- Mac OS MacTCP, 7.6.1 OpenTransport 1.1.2 and 8.0
- NetApp NFS server 4.1d and 4.3
- NetBSD 1.1 to 1.3 (Fixed after required updates)
- NeXTSTEP 3.0 and 3.1
- Novell 4.11
- OpenVMS 7.1 with UCX 4.1-7
- QNX 4.24
- Rhapsody Developer Release
- SCO OpenServer 5.0.2 SMP, 5.0.4
- SCO Unixware 2.1.1 and 2.1.2
- SunOS 4.1.3 and 4.1.4
- Windows 95, NT and XP SP2
In terms of prevention, most firewalls should interrupt and discard the poison packet before it reaches the target. Some operating systems have fixed the security hole through patches and updates. Routers should also be configured with ingress and egress filters to block all traffic aimed at a destination in the source’s address space, including packets in which the source and destination IP addresses are one and the same.