Possible LAND attack vulnerability affects Windows XP and 2003

While Microsoft will not release a monthly security bulletin for March, a new denial-of-service vulnerability has surfaced that affects Windows Server 2003 and Windows XP systems. Get the details about this and other security news in this edition of the IT Locksmith.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

For only the second time, Microsoft will not release a security bulletin this month. Meanwhile, a new denial of service (DoS) threat appears on the horizon, but experts debate its level of risk.


Microsoft announced earlier this month that it has no plans to release its regularly scheduled monthly security bulletin for March. (Of course, a newfound vulnerability could always trigger an emergency release later in the month.) Since the software giant began the monthly release practice in October 2003, there has been only one other month—December 2003—when it didn't release a monthly security bulletin.

However, did report a new DoS vulnerability last week, as outlined by a posting on the SecurityFocus industry forum site. In the post, Dejan Levaja, who identified himself as a system engineer in Belgrade, stated that he had notified Microsoft of the vulnerability in late February and only decided to go public with the information after receiving no response from the company.

The threat affects Windows Server 2003 and Windows XP systems that have Support Pack 2 installed but the firewall turned off. These systems are vulnerable to a "LAND attack," which could cause a temporary DoS attack that lasts for approximately 15 to 30 seconds.

A LAND attack (i.e., IP DoS) results from sending a specially crafted packet to a machine where the source host/port is the same as the destination host/port. The system attempts to reply to itself, resulting in system lockup. While a 15- to 30-second outage may not sound too bad, Levaja pointed out that the server isn't the only thing to lock up—all workstations on the network also freeze.

While Microsoft agreed that the vulnerability exists, it pointed out that an attack would result only in a minor inconvenience and wouldn't present a significant threat. A researcher from the SANS Internet Storm Center came to essentially the same conclusion, pointing out that XP is only vulnerable if you've installed SP2.

For details about how to test for this vulnerability, check out this diary entry at the SANS Internet Storm Center.


This vulnerability applies to all Windows Server 2003 systems and only Windows XP systems with SP2 installed.

Risk level - Moderate

While the potential LAND attack is annoying, it only triggers a temporary DoS attack. In addition, it doesn't require a reset to regain control.

Mitigating factors

Microsoft's firewall, included with XP SP2, will block the attack if you haven't disabled it.


Install or activate a firewall that blocks LAND attacks.

Final word

LAND attacks are nothing new, and they certainly aren't specific to Microsoft products. However, this is one more case of an old vulnerability resurfacing as a new threat because of changes to new software.

I reminded you last week about the April 12 deadline for XP SP2. If you don't want SP2 to install automatically, you need to turn off XP's Automatic Update feature. Of course, with this week's disclosure of the LAND attack vulnerability, this takes on a new urgency, since the threat only affects XP systems with SP2 installed.

Also watch for …

  • I've just got to stop writing about potential dangers here. Last time in this section, I pointed out that, while ChoicePoint was a well-known danger, even more obscure databases were much more dangerous if hackers breached their security. And wouldn't you know it? Last week, reported attackers had struck one of the LexisNexis databases, compromising approximately 32,000 personal records.
    While corporate parent Reed Elsevier Group PLC was quick to point out that intruders didn't access credit or medical histories, attackers did manage to steal social security numbers, names, addresses, and driver's license numbers, so that assurance probably isn't much comfort.
  • Last week, Microsoft released a new version of its Windows Malicious Software Removal Tool, which requires periodic updates due to the appearance of new malware variants.
  • F-secure has reported the existence of a new cell phone virus, "Commwarrior." While the new virus has yet to wreak much havoc, it's the first wireless virus that attacks through multimedia messages (including photos, sound, and video).
  • And finally, according to, it is now officially illegal to reverse-engineer and/or publish security vulnerabilities in France.

Editor's Picks

Free Newsletters, In your Inbox