Field Notice: TCP loopback DoS Attack (land.c) and Cisco Devices

John Bashinski (jbash@CISCO.COM)
Fri, 21 Nov 1997 14:38:14 -0800

-----BEGIN PGP SIGNED MESSAGE-----

Field Notice:
TCP loopback DoS Attack (land.c) and Cisco Devices

November 21, 1997, 14:00 AM US/Pacific, Revision 1
- --------------------------------------------------

Summary
- -----
Somebody has released a program, known as land.c, which can be used to
launch denial of service attacks against various TCP implementations. The
program sends a TCP SYN packet (a connection initiation), giving the target
host's address as both source and destination, and using the same port on
the target host as both source and destination.

Classic IOS software (used on Cisco routers with product numbers greater
than 1000, on the CGS/MGS/AGS+, and on the CS-500) is moderately vulnerable
to this attack. For some IOS versions, if the attack is launched against a
TCP port that is actually listening (say the TELNET port), then invalid
connection data will be created, preventing further legitimate connections
for approximately 30 seconds. High CPU loads may result on some IOS
versions. We observed a complete hang on one 11.5 system, but have been
unable to reproduce that failure. Based on very preliminary data, the
router's packet forwarding functions are not generally affected.

IOS/700 (used on Cisco 7xx routers) is also vulnerable. The 7xx
vulnerability is more devastating than the classic IOS vulnerability, but
probably less dangerous for most customers, since firewalls separate most
7xx routers from the Internet.

The PIX firewall appears does not appear to be affected. Initial testing of
the Centri firewall tends to indicate that it is not affected.

We're working on characterizing other products' vulnerability to attack.
Updates will be issued as information becomes available.

Who is Affected
- -------------
All IOS and IOS/700 systems that can be reached via TCP from untrusted hosts
are affected, provided that the reachable TCP ports are ports on which IOS
ordinarily provides service. The attack requires spoofing the targets's own
address, so systems behind effective anti-spoofing firewalls are safe.

Impact
- ----
Classic IOS systems may experience slowdowns while under active attack. On
IOS software versions earlier than 11.2(4), new TCP connections will fail
for a period of about 30 seconds after any attack packet is received. IOS
versions later than 11.2(4), or that contain the fix for bug ID CSCdi87533,
may experience slowdowns, but should continue to accept new TCP connections
. Most IOS versions appear to recover completely within a few minutes of the
attack stopping, but we have not yet fully characterized the effect on all
IOS versions. One complete failure was observed; the version was 11.1(5). A
configuration workaround for classic IOS can prevent the problem entirely,
subject to performance restrictions.

IOS/700 systems subjected to the attack will hang indefinitely and must be
physically reset. A configuration workaround for IOS/700 can prevent the
problem entirely.

Initial tests indicate that the PIX firewall is not vulnerable to this
attack. Tests have been conducted with version 4.1.3.245 and 4.0.7.

Initial tests indicate that the Centri firewall (build 4.110) is not
vulnerable to this attack with no exposed service configured. We have not
yet tested the Centri product with exposed services.

Workaround for Classic IOS
- ------------------------
Classic IOS users can use input access lists on their interfaces to prevent
the attack packets from entering their TCP stacks. This will prevent the
attack entirely, but may have unacceptable performance impacts on heavily
loaded high-end routers. Traffic will still be fast-switched, but
higher-speed switching modes may be disabled. It should be tried with care.

If you have no existing input access lists, create a new IP extended access
list. Use a presently-unused number between 100 and 199. The access list
must have an entry for each of the IP address configured on the system.
Deny packets from each address to itself. For example:

access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

If you have existing access lists, you'll need to merge the new entries in
an appropriate way, generally at the top of the list. The access list should
be applied incoming on all interfaces, so a fragment of a total router
configuration might look like this:

interface ethernet 0
ip address 1.2.3.4 255.255.255.0
ip access-group 101 in
!
interface ethernet 1
ip address 5.6.7.8
ip access-group 101 in
!
access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Workaround for IOS/700
- --------------------
Add the following configuration command to any profile that may be active
when connected to potentially hostile network:

set ip filter tcp in source <7xx IP address> destination <7xx IP address> block

Using Cisco Products to Protect Other Systems
- -------------------------------------------
We do not believe that this attack can be used against systems behind our
dedicated firewall products, the PIX and Centri firewalls, unless
general-purpose tunnels have been enabled through the firewalls.

Properly designed anti-spoofing access lists at border routers can be used
to prevent the attack from entering a private network from the Internet. Use
the access lists to filter out packets whose IP source addresses are on your
internal net, but which are arriving from interfaces connected to the
outside Internet.

Exploitation and Public Announcements
- -----------------------------------
Cisco has had multiple reports of this vulnerability.

Most exploitation seems to be using the original program, which sends one
packet at a time. Floods of invalid packets have not been reported.

This issue has been widely discussed in a variety of Internet fora.

Cisco first heard of this problem on the morning of Friday, November 21.

Distribution of this Notice
- -------------------------
This notice is being sent to the following Internet mailing lists and
newsgroups:

* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
* nanog@merit.edu

Updates will be sent to some or all of these, as appropriate.

This notice will be posted in the "Field Notices" section of Cisco's
Worldwide Web site, which can be found under "Technical Tips" in the
"Service and Support" section. The URL will be

http://www.cisco.com/warp/public/770/land-pub.shtml

The copy on the Worldwide Web will be updated as appropriate.

Cisco Security Procedures
- -----------------------
Please report security issues with Cisco products to
security-alert@cisco.com.

This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNHYMogyPsuGbHvEpAQHojQgAtU3nEwtn+2Xg8W8jLTcCIiF+q0oFhmMS
Z54T67xooTmsWbLzv409AYR73G/TbsNgflzQZa8amAXbz6EIUlzaYqJdHB2B7FsH
GFh8c7VFZZ7zp9r9UVJJYjSYwRENLpDaKb5kx//zOFF/9eh4G95cJ6zMMLukSreJ
MAA+5xc23SV+fpk+AmxEzWifAYoIz9KRsK0/GTHA93F17MZEvTIauVf3VxD8DSHV
zA7ndUNuxH0rg2oGOok4XbiBSSXK3glkkCAkJ0OzGEPt7RZ1EcJ+TpTJpETu+F7z
0XyJXF25TxoMAu8MmmM4IQvRtZzM0PGCA6X3XErg6wiUFJL1JFpejQ==
=SkPH
-----END PGP SIGNATURE-----