Teardrops and land bugs

Software Magazine, March, 1998 by Route

In November, two new devastating denial of service (DOS) attacks were publicized over the Bugtraq security mailing list, an open list devoted to coverage of the latest security vulnerabilities. The two bugs, known as "Teardrop" and "Land," allow attackers to crash machines from across the Internet with relative impunity.

The vulnerabilities these two bugs exploit are nested deep within the TCP/ IP protocol suite in distinctly different places. The Teardrop bug affects Windows 95, Windows NT, Linux, Novell-DOS, PC-NFS, and reportedly, the Apple IIGS. The cause? A faulty IP module. Specifically, the problem lies in the IP fragmentation/reassembly code and manifests itself when IP attempts to reassemble specially contrived fragments.

The Teardrop exploit is easy to execute. The attacker sends a series of fragmented IP datagram pairs to the target -- how many depends on the operating system. Windows NT can take up to 50, while Linux crashes with one pair. The first fragment is sent over with an offset of 0 (telling IP that it is the first fragment in the list) and a payload of size N. The second, and last, fragment is sent over with an offset telling IP that it should overlap inside the previous fragment, but this fragment's payload is either nonexistent, or quite small (one or two bytes).

As a result, the new fragment does not have enough data to cover to the end of the original fragment, and IP ends up thinking the length of the payload is a negative number. Since this is the last fragment, IP will then attempt to reassemble the original packet. The host will crash or reboot as it tries to copy entirely too much data. For the original Bugtraq post, including exploit code and a Linux patch, see:

www.geek-girl.com/bugtraq/ 1997_4/0283.html

For its part, the Land bug affects a much wider range of operating systems, including AIX, HP-UX, MacOS, NetBSD, SunOS, Windows 95 and NT, and even Cisco's IOS. Land can cripple a system by sending only one TCP packet to the target.

Since TCP is responsible for the end-to-end aspects of network communication, it guarantees a reliable connection between two hosts. Before data can be exchanged between these hosts, however, a connection must be established. TCP performs this task via the three-way handshake, a process initiated by the client, which sends the first packet containing a connection request. The server then responds with an acknowledgment and a similar request, which the client acknowledges in the final packet.

Land is shockingly simple in concept. The attacker forges the first packet of the three-way handshake to the target on a listening port. The packet is forged so that it seems to come from the TCP port on the target machine.

Upon receiving this packet, the TCP module gets thoroughly confused and sends out the expected second packet of the three-way handshake to the very same connection. The state information in this packet is not correct, so TCP sends out a packet containing the expected state information. This packet is also sent right back to the same connection, and the process is repeated. The target machine has essentially descended into an infinite loop. For the original Bugtraq post see:

www.geek-girl.com/bugtraq/1997_4/0339.html

Stopping these attacks is not difficult. Because the vulnerabilities are deep within the operating system, you should contact your vendor for a patch. Here's how to get them for a number of OSs.

Teardrop is fixed in all Linux kernels 2.0.32 and higher, and in all development kernels 2.1.63 and higher. Go to:

ftp.linux, org/pub/kernel/v2.0/ and ftp.linux.org/pub/kernel/v2.1/

To secure Windows NT from Teardrop and a host of other attacks, go to:

ftp.microsoft.com/bussys/winnt/winnt-public/fixes/ usa/nt40/hotfixes-post-SP3/simptcp-fix/

For the correct Windows 95 patch, determine whether you have Winsock 1.1 or Winsock 2. If you have a file \windows\system\ws2_32.dll, you have Winsock 2. For Windows 95 Winsock 1.1,goto:

support, microsoft.com/download/ support/mslfiles/VipupII.exe. For Windows 95 Winsock 2, see: support, microsoft, com/download/support/mslfiles/ Vipup20.exe

Windows 95 also needs the VTCPUPD patch from: support, microsoft, com/downlood/support/mslfiles/ Vtcpupd.exe

The Land attack has no official Microsoft patch, but Redmond claims to be working on it. The bug is easy to filter out at your router, however, with ingress filtering, or "edge filtering." The Land attack is automatically stopped by edge filtering,