-----BEGIN PGP SIGNED MESSAGE----- Field Notice: TCP loopback DoS Attack (land.c) and Cisco Devices November 21, 1997, 14:00 AM US/Pacific, Revision 1 - -------------------------------------------------- Summary - ----- Somebody has released a program, known as land.c, which can be used to launch denial of service attacks against various TCP implementations. The program sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination. Classic IOS software (used on Cisco routers with product numbers greater than 1000, on the CGS/MGS/AGS+, and on the CS-500) is moderately vulnerable to this attack. For some IOS versions, if the attack is launched against a TCP port that is actually listening (say the TELNET port), then invalid connection data will be created, preventing further legitimate connections for approximately 30 seconds. High CPU loads may result on some IOS versions. We observed a complete hang on one 11.5 system, but have been unable to reproduce that failure. Based on very preliminary data, the router's packet forwarding functions are not generally affected. IOS/700 (used on Cisco 7xx routers) is also vulnerable. The 7xx vulnerability is more devastating than the classic IOS vulnerability, but probably less dangerous for most customers, since firewalls separate most 7xx routers from the Internet. The PIX firewall appears does not appear to be affected. Initial testing of the Centri firewall tends to indicate that it is not affected. We're working on characterizing other products' vulnerability to attack. Updates will be issued as information becomes available. Who is Affected - ------------- All IOS and IOS/700 systems that can be reached via TCP from untrusted hosts are affected, provided that the reachable TCP ports are ports on which IOS ordinarily provides service. The attack requires spoofing the targets's own address, so systems behind effective anti-spoofing firewalls are safe. Impact - ---- Classic IOS systems may experience slowdowns while under active attack. On IOS software versions earlier than 11.2(4), new TCP connections will fail for a period of about 30 seconds after any attack packet is received. IOS versions later than 11.2(4), or that contain the fix for bug ID CSCdi87533, may experience slowdowns, but should continue to accept new TCP connections . Most IOS versions appear to recover completely within a few minutes of the attack stopping, but we have not yet fully characterized the effect on all IOS versions. One complete failure was observed; the version was 11.1(5). A configuration workaround for classic IOS can prevent the problem entirely, subject to performance restrictions. IOS/700 systems subjected to the attack will hang indefinitely and must be physically reset. A configuration workaround for IOS/700 can prevent the problem entirely. Initial tests indicate that the PIX firewall is not vulnerable to this attack. Tests have been conducted with version 4.1.3.245 and 4.0.7. Initial tests indicate that the Centri firewall (build 4.110) is not vulnerable to this attack with no exposed service configured. We have not yet tested the Centri product with exposed services. Workaround for Classic IOS - ------------------------ Classic IOS users can use input access lists on their interfaces to prevent the attack packets from entering their TCP stacks. This will prevent the attack entirely, but may have unacceptable performance impacts on heavily loaded high-end routers. Traffic will still be fast-switched, but higher-speed switching modes may be disabled. It should be tried with care. If you have no existing input access lists, create a new IP extended access list. Use a presently-unused number between 100 and 199. The access list must have an entry for each of the IP address configured on the system. Deny packets from each address to itself. For example: access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0 access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 If you have existing access lists, you'll need to merge the new entries in an appropriate way, generally at the top of the list. The access list should be applied incoming on all interfaces, so a fragment of a total router configuration might look like this: interface ethernet 0 ip address 1.2.3.4 255.255.255.0 ip access-group 101 in ! interface ethernet 1 ip address 5.6.7.8 ip access-group 101 in ! access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0 access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Workaround for IOS/700 - -------------------- Add the following configuration command to any profile that may be active when connected to potentially hostile network: set ip filter tcp in source <7xx IP address> destination <7xx IP address> block Using Cisco Products to Protect Other Systems - ------------------------------------------- We do not believe that this attack can be used against systems behind our dedicated firewall products, the PIX and Centri firewalls, unless general-purpose tunnels have been enabled through the firewalls. Properly designed anti-spoofing access lists at border routers can be used to prevent the attack from entering a private network from the Internet. Use the access lists to filter out packets whose IP source addresses are on your internal net, but which are arriving from interfaces connected to the outside Internet. Exploitation and Public Announcements - ----------------------------------- Cisco has had multiple reports of this vulnerability. Most exploitation seems to be using the original program, which sends one packet at a time. Floods of invalid packets have not been reported. This issue has been widely discussed in a variety of Internet fora. Cisco first heard of this problem on the morning of Friday, November 21. Distribution of this Notice - ------------------------- This notice is being sent to the following Internet mailing lists and newsgroups: * cisco@spot.colorado.edu * comp.dcom.sys.cisco * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * nanog@merit.edu Updates will be sent to some or all of these, as appropriate. This notice will be posted in the "Field Notices" section of Cisco's Worldwide Web site, which can be found under "Technical Tips" in the "Service and Support" section. The URL will be http://www.cisco.com/warp/public/770/land-pub.shtml The copy on the Worldwide Web will be updated as appropriate. Cisco Security Procedures - ----------------------- Please report security issues with Cisco products to security-alert@cisco.com. This notice is copyright 1997 by Cisco Systems, Inc. This notice may be redistributed freely provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNHYMogyPsuGbHvEpAQHojQgAtU3nEwtn+2Xg8W8jLTcCIiF+q0oFhmMS Z54T67xooTmsWbLzv409AYR73G/TbsNgflzQZa8amAXbz6EIUlzaYqJdHB2B7FsH GFh8c7VFZZ7zp9r9UVJJYjSYwRENLpDaKb5kx//zOFF/9eh4G95cJ6zMMLukSreJ MAA+5xc23SV+fpk+AmxEzWifAYoIz9KRsK0/GTHA93F17MZEvTIauVf3VxD8DSHV zA7ndUNuxH0rg2oGOok4XbiBSSXK3glkkCAkJ0OzGEPt7RZ1EcJ+TpTJpETu+F7z 0XyJXF25TxoMAu8MmmM4IQvRtZzM0PGCA6X3XErg6wiUFJL1JFpejQ== =SkPH -----END PGP SIGNATURE-----