20 December 1997: Add news report on land.c author, just below, and CIAC Bulletin on Denial-of-Service Attacks at the end of this document. Teenage hacker tells his side of land attack story December 19, 1997 Network World: Montreal It was "Meltman" who wrote Land Attack, the denial-of-service attack code that has been blowing up routers, servers and desktop computers since it was posted on the Internet right before Thanksgiving. Technicians at Cisco Systems, Inc., like many others in the network industry, have been busy coping with the fallout from Land Attack and would love to get their hands on the havoc-wreaking Meltman. But despite his ominous moniker, in reality Meltman is a 16-year-old Montreal high-school student named Hugo Breton. And though Breton does have regrets about releasing his land.c code to the public, he warned that there are bound to be more such bombshells until the network industry gets a lot smarter about security. "Network equipment should not be vulnerable to something like Land Attack,'' said Breton, who also uses the moniker ``M3lt'' in some of the Usenet groups and chat rooms which form a kind of watering hole where hackers and security professionals uneasily coexist on the Internet. Officially known as land.c code, Land Attack works by tricking the targeted machine into trying to set up a TCP session with itself. If the machine falls for this form of IP spoofing, it goes into a TCP closed loop and has to be physically rebooted. A number of security experts, including Chris Klaus, chief technology officer at Internet Security Systems, Inc., agree there is no reason a machine would want to talk to itself like this. Systems should be designed to prevent such attacks. Breton said that when he released Land Attack on the bugtraq Usenet group, he was only aware it would make Windows 95 computers hang up Windows 95. He even messaged Microsoft Corp. about it. ``I can't even use land.c because my service provider in Canada, Videotron.net, prevents IP spoofing,'' Breton said. ``I admit releasing the bug into the public wasn't the most responsible thing to do. Land.c is spreading.'' Indeed, it is being used to crash small hosts and as a weapon on Internet Relay Chat (IRC) channels. ``The IRC is like a shooting range,'' and people are using Land Attack to blow each other off ``in channel wars,'' he said. Breton said he also now is being bombarded with a huge amount of ``hate mail and love mail. The hate mail is from systems administrators. They're calling me `stupid,' `dumb,' an `ass - - - -.' '' The love mail seems mainly to be from denizens of the Internet who have more destructive tendencies. Breton said he decided to post land.c because he thought the information about the security vulnerability eventually would leak, and he wanted to take credit for the discovery. In retrospect, Breton said maybe he should have gone to the newly formed Canadian Computer Emergency Response Team, an organization that, like its U.S. counterpart, tries to provide help in handling security incidents. To Breton, the impact of Land Attack is clear in one way: ``Perhaps this made some people realize they can be the target of such attacks. Some people need to wake up; this kind of attack shouldn't even happen.'' For Cisco, whose routers and switches were vulnerable to land.c, the learning process has been painful. Mike Quinn, Cisco's director of customer assurance who heads a security SWAT team, said Cisco personnel worked around the clock through Thanksgiving to isolate the problem, test equipment and work on fixes. Cisco sent e-mail alerts to its customers and provided details about the situation on its Web site, though a few mistakes in testing land.c caused Cisco to say some switches were not vulnerable. Cisco quickly corrected the misstatements. Last week, Cisco had finished creating fixes for most of its product line. Fortunately, Cisco firewalls apparently are not vulnerable to Land Attack. Network managers who want to obtain the router and switch fixes can get them through the Cisco Connection Online. ---------- 6 December 1997: Add 3 Dec 97 message on system vulnerabilities. 4 December 1997, Network World: Hackers Out for IP Blood with New Land Attack The Internet underworld last week unsheathed a new weapon capable of knocking out IP-based routers and servers, sending vendors scrambling to find ways to safeguard their gear. Land Attack, officially known as land.c program code, was posted on the Net by someone called "Meltman" and used last week in attacks on Cisco Systems, Inc. routers and Unix and Windows NT servers. Some of the targeted machines were slowed to a crawl, while others had to be rebooted. Land Attack represents a new twist on the dreaded "TCP SYN flooding" denial-of-service attack in which a hacker ties up a port on a network device or causes it to crash by flooding it with unwanted synchronization (SYN) packets. The SYN packets are used to establish network connections in a three- way synchronize-acknowledge (SYN-ACK) handshake needed to set up a Web, telnet, File Transfer Protocol or Simple Mail Transfer Protocol session. But unlike TCP SYN flooding, Land Attack sends out just one sinister SYN packet in which the sending devices IP address has been swapped out for the IP address of the destination machine. When the destination machine tries to acknowledge receipt of the transmission, it ends up using its own address, which means it sends the message back to itself, resulting in a potentially fatal loopback condition. "If someone could find a way to use this Land Attack program to spread this across the Internet, it could cause major service disruptions," said Chris Klaus, chief technology officer at Internet Security Systems, Inc., whose software is aimed at detecting network-based intrusions and attacks. After some quick testing with Land Attack, vendors rapidly issued a long and unofficial list of network gear determined to be vulnerable or "not vulnerable to anything ranging from 60-second slowdowns to total collapse." While Proteon, Inc. network gear and Hewlett-Packard Co. Unix machines appeared on the clean list, the news was not as good for Cisco routers, which form the heart of the Internet. Cisco, which received multiple reports that its routers were targeted, issued a general alert informing users that land.c can be used to launch denial-of-service attacks against Classic IOS software used on Cisco routers with product numbers greater than 1000. It also listed software on its CGS/MGS/AGS+ and the CS-500 gear as vulnerable. The company said the effect on the Cisco IOS/700 software used on Cisco 7xx routers "is more devastating than the Classic IOS software." But it went on to say that most customers use firewalls to separate 7xx routers from the Internet, minimizing the threat. The company said the Cisco Catalyst 5000 LAN switches also are vulnerable, but they can be safeguarded by removing their IP addresses. This, however, has the effect of disabling remote management, Cisco noted. The company added that the Cisco PIX firewall "appears not to be affected." As of press time, Cisco had issued patches for some, but not all, of its gear. It advised users to visit www.cisco.com for field alerts on Land Attack. Microsoft Corp., whose Windows 95 and NT operating systems made the "vulnerable" list, downplayed the extent of the damage caused by Land Attack. "We tested NT 4.0 with our Service Pak 3, and Land Attack just slows it down for 60 seconds and then resumes normal operations," said Karan Khanna, Microsoft product manager for NT. Microsoft planned to issue a patch by today. Sun Microsystems, Inc., whose Solaris boxes generally were listed as not vulnerable, did get a vulnerable rating for SunOS 1.4 and SunOs 1.4. A Sun spokesman said the company was not aware of the security uproar surrounding Land Attack. ---------- 4 December 1997, Business Wire: WheelGroup Announces Security Solution for Dangerous New Land and Teardrop Internet Attacks San Antonio -- WheelGroup Corporation has developed a solution to protect networks from the recently publicized " Land" and "Teardrop" Internet attacks by leveraging its best-of-breed NetRanger(a) intrusion detection system. Both the Land and Teardrop attacks primarily target IP-based routers and servers, including Unix and Windows NT servers. Both also can be classified as "denial-of-service " attacks, which can temporarily disable key servers or entire networks, and present a particularly onerous problem to e-commerce sites, Internet Service Providers (ISPs), and other organizations which depend on mission-critical networks. WheelGroup's Countermeasures and Research group has identified and tested solutions to both of these new attacks using the company's flagship NetRanger intrusion detection and network security management system. As a result, WheelGroup is currently in the process of deploying the newly developed countermeasures to NetRanger systems at commercial and military customer sites worldwide. Because NetRanger looks into the data stream of a network connection and analyzes the content and context of the individual packet payloads and headers, the system is able to analyze inbound and outbound data at an extremely high level of granularity, without significant effects on performance. Unlike traditional security systems, NetRanger can search for network misuse -- in real-time -- even within authorized activity, such as seemingly legitimate telnet or FTP sessions. When NetRanger detects unauthorized activity, like the inherent characteristics of Land and Teardrop attacks, it sends an alarm with details and analysis of the attack to a central management system. NetRanger can also quickly eliminate the attack several different ways, including dynamically reconfiguring the Access Control Lists (ACLs) on Cisco routers. This enables NetRanger to permanently block the attacker from accessing the network in the future. "Much of the publicity regarding the Land attack has focused on its potential use against perimeter routers and key network servers. As a result, most network-intensive organizations and ISPs, in particular, may be concerned," said Dave King, WheelGroup's Vice President for Marketing. "Since NetRanger works in conjunction with a wide-range of network devices and can quickly stop these attacks, WheelGroup can provide a robust, effective security solution for the vast majority of the networking systems in the market." About the attacks: The Land attack -- named after a program "land.c," which implements it -- can cause a computer or network device to crash or lose service for a period of time. The attack, a derivative of "IP spoofing," involves sending a machine an Internet Protocol (IP) packet that claims to come from the destination machine itself. When the machine attempts to acknowledge the packet, it responds to itself and thereby sets up a continuous loop. This looping results in a packet storm that can cause the machine to crash or to suffer massive performance delays. The Teardrop attack involves creating and sending IP packets that are fragmented in such a way as to exploit an arithmetic error in the software that reassembles packet fragments. By sending these malformed packets, the attacker causes an extremely large amount of data to be copied into memory that usually causes the machine to crash. "New attacks are generated on a frequent basis," said Kevin Ziese, Director of Research and co-founder of WheelGroup Corporation. "By maintaining a constant watch on network activity and leveraging the dynamic updating capabilities of NetRanger, we are committed to ensuring our customer base has the ability to counter even the newest of threats." More information about WheelGroup's security technology, professional services, and strategic relationships may be obtained via the Internet at http://www.wheelgroup.com . ---------- Re: land.c From forcer@mynock.org (forcer) Organization UPM - United Penguins and Mynocks Date 3 Dec 1997 20:54:40 GMT Newsgroups de.comp.os.linux.misc On Wed, 03 Dec 1997 20:01:49 +0100, Oliver Wahlen wrote: >Hi, >folgenden Artikel habe ich in einer Mailinglist gelesen. Mich wuerde mal >interessieren, ob jemand land.c schonmal auf ein Linuxsystem losgelassen >hat. >Vielleicht kann jemand den Sourcecode mal hier posten (wenn er nicht zu >gross ist). Ansonsten bitte ich um eine entsprechende email. > Source kannst du von mir haben, ist aber auch nicht sonderlich schwer, wenn man C kann ;) Ich poste den hier nicht, weil zu viele system da gefaerdet sind *g* Oh, und linux schickt ein korrektes RST, und das wars, passieren tut nichts. in einer mailing list habe ich aber mal eine "vulnerable"-list gesehen... hier: ------------------------ This is the last "LAND" update. I will not post any more. This list is not meant to be comprehensive nor accurate. For an accurate assestment of the risk to your IP stack contact your vendor. Cisco Field Notice: TCP Loopback Denial-of-Service Attack and Cisco Devices http://www.cisco.com/warp/public/770/land-pub.shtml Read "Network Ingress Filtering: Defeating Denial of Service Address Spoofing" ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt The survey says: AIX 3 IS vulnerable AIX 3.2 NOT vulnerable AIX 4 NOT vulnerable AIX 4.1 NOT vulnerable AIX 4.2.1 NOT vulnerable AmigaOS AmiTCP 4.0demo NOT vulnerable AmigaOS AmiTCP 4.2 (Kickstart 3.0) IS vulnerable AmigaOS Miami 2.0 NOT vulnerable AmigaOS Miami 2.1f NOT vulnerable AmigaOS Miami 2.1p NOT vulnerable AmigaOS Miami 2.92c NOT vulnerable BeOS Preview Release 2 PowerMac IS vulnerable BSDI 2.0 IS vulnerable BSDI 2.1 (vanilla) IS vulnerable BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable BSDI 3.0 NOT vulnerable DG/UX R4.12 NOT vulnerable Digital UNIX 3.2c NOT vulnerable Digital UNIX 4.0 NOT vulnerable Digital VMS ??? IS vulnerable FreeBSD 2.1.6-RELEASE NOT vulnerable FreeBSD 2.2.2-RELEASE NOT vulnerable FreeBSD 2.2.5-RELEASE IS vulnerable FreeBSD 2.2.5-STABLE IS vulnerable (fixed) FreeBSD 3.0-CURRENT IS vulnerable (fixed) HP External JetDirect Print Servers IS vulnerable HP-UX 9.03 NOT vulnerable HP-UX 10.01 NOT vulnerable HP-UX 10.20 NOT vulnerable IBM AS/400 OS7400 3.7 IS vulnerable (100% CPU) IRIX 5.2 IS vulnerable IRIX 5.3 IS vulnerable IRIX 6.2 NOT vulnerable IRIX 6.3 NOT vulnerable IRIX 6.4 NOT vulnerable Linux 1.2.13 NOT vulnerable Linux 2.1.65 NOT vulnerable Linux 2.0.30 NOT vulnerable Linux 2.0.32 NOT vulnerable MacOS MacTCP IS vulnerable MacOS OpenTransport 1.1.1 NOT vulnerable MacOS 7.1p6 NOT vulnerable MacOS 7.5.1 NOT vulnerable MacOS 7.6.1 OpenTransport 1.1.2 IS vulnerable (not a compleate lockup) MacOS 8.0 IS vulnerable (TCP/IP stack crashed) MVS OS390 1.3 NOT vulnerable NetApp NFS server 4.1d IS vulnerable NetApp NFS server 4.3 IS vulnerable NetBSD 1.1 IS vulnerable NetBSD 1.2 IS vulnerable NetBSD 1.2a IS vulnerable NetBSD 1.2.1 IS vulnerable (fixed) NetBSD 1.3_ALPHA IS vulnerable (fixed) NeXTSTEP 3.0 IS vulnerable NeXTSTEp 3.1 IS vulnerable Novell 4.11 IS vulnerable (100% CPU for 30 secs) OpenBSD 2.1 (conflicting reports) OpenBSD 2.2 NOT vulnerable OpenVMS 7.1 with UCX 4.1-7 IS vulnerable OS/2 3.0 NOT vulnerable OS/2 4.0 NOT vulnerable QNX 4.24 IS vulnerable Rhapsody Developer Release IS vulnerable SCO OpenServer 5.0.2 SMP IS vulnerable SCO OpenServer 5.0.4 IS vulnerable (kills networking) SCO Unixware 2.1.1 IS vulnerable SCO Unixware 2.1.2 IS vulnerable Salaris 2.4 NOT vulnerable Solaris 2.5.1 NOT vulnerable Solaris 2.5.2 NOT vulnerable Solaris 2.6 NOT vulnerable SunOS 4.1.3 IS vulnerable SunOS 4.1.4 IS vulnerable Ultrix ??? NOT vulnerable Windows 95 (vanilla) IS vulnerable Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable Windows NT (vanilla) IS vulnerable Windows NT + SP3 IS vulnerable Windows NT + SP3 + simptcp-fix IS vulnerable Some misc stuff: 3Com Accessbuilder 600/700 NOT vulnerable 3Com LinkSwitch 1000 NOT vulnerable 3Com OfficeConnect 500 NOT vulnerable 3Com SuperStack II Switch 1000 IS vulnerable Adtran TSU Rack NOT vulnerable Apple LaserWriter IS vulnerable Ascend 4000 5.0Ap20 NOT vulnerable Ascend Pipeline 50 rev 5.0Ai16 NOT vulnerable Ascend Pipeline 50 rev 5.0Ap13 NOT vulnerable BayNetworks MARLIN 1000 OS (0).3.024(R) NOT vulnerable BinTec BIANCA/BRICK-XS 4.6.1 router IS vulnerable Cisco Classic IOS < 10.3, early 10.3, 11.0, 11.1, and 11.2 IS vulnerable Cisco IOS/700 IS vulnerable Cisco Catalyst IS vulnerable Digital VT1200 IS vulnerable Farallon Netopia PN440 NOT vulnerable HP Envizex Terminal IS vulnerable LaserJet Printer NOT vulnerable Livingston Office Router (ISDN) IS vulnerable Livingston PM ComOS 3.3.3 NOT vulnerable Livingston PM ComOS 3.5b17 + 3.7.2 NOT vulnerable Livingston PM ComOS 3.7L NOT vulnerable Livingston PM ComOS 3.7.2 NOT vulnerable Livingston Enterprise PM 3.4 2L NOT vulnerable Livingston T1/E1 OR IS vulnerable Milkyway Blackhole Firewall 3.0 (SunOS) IS vulnerable Milkyway Blackhole Firewall 3.02(SunOS) IS vulnerable NCD X Terminals, NCDWare v3.1.0 IS vulnerable NCD X Terminals, NCDWare v3.2.1 IS vulnerable Netopia PN440 v2.0.1 IS vulnerable Proteon GT60 NOT vulnerable Proteon GT60Secure NOT vulnerable Proteon GT70 NOT vulnerable Proteon GT70Secure NOT vulnerable Proteon GTAM NOT vulnerable Proteon GTX250 NOT vulnerable Proteon RBX250 NOT vulnerable Sonix Arpeggio NOT vulnerable Sonix Arpeggio + NOT vulnerable Sonix Arpeggio Lite NOT vulnerable Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 -forcer -- /* Software is like sex; it's better when it's free - Linus Torvalds */ /* email: forcer@mindless.com.nospam www: http://www.forcer.base.org/ */ /* IRC: forcer (IRCnet #StarWars) pgp: pub 2048/191585A9 */ ----------------------------------------------------------------------------- 20 December 1997: Date: Fri, 19 Dec 1997 13:50:56 -0800 (PST) From: CIAC Mail User To: ciac-bulletin@tholia.llnl.gov Subject: CIAC Bulletin I-019:Tools Generating IP Denial-of-Service Attacks [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Tools Generating IP Denial-of-Service Attacks December 16, 1997 18:00 GMT Number I-019 ______________________________________________________________________________ PROBLEM: Information has been received that two tools (Teardrop and Land) which exploit vulnerabilities in the TCP/IP protocol are being used to cause denial-of-service attacks. PLATFORM: Any platform using the TCP/IP protocol may be vulnerable. Check the vendor list included in this bulletin. DAMAGE: Use of these tools (Teardrop and Land) enable a remote user to launch a denial-of-service attack. SOLUTION: Apply either the patches or the workaround included in the bulletin. VULNERABILITY Attacks using these tools have been reported. ASSESSMENT: ______________________________________________________________________________ CIAC IS AWARE OF THE DISCUSSION ON BUGTRAQ REGARDING LINUX AND THIS VULNERABILITY. WE HAVE CHOSEN TO SEND THIS ADVISORY AS DISTRIBUTED. IT WILL BE UPDATED IF ANY OF THE ENCLOSED INFORMATION CHANGES. ______________________________________________________________________________ [ Start of CERT/CC Advisory ] - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Advisory CA-97.28 Original issue date: Dec. 16, 1997 Last revised: December 16, 1997 - Added vendor information for Digital Equipment Corporation and Hewlett-Packard. A complete revision history is at the end of this file. Topic: IP Denial-of-Service Attacks - - ---------------------------------------------------------------------------- - - The CERT Coordination Center has received reports of two attack tools (Teardrop and Land) that are being used to exploit two vulnerabilities in the TCP/IP protocol. Both tools enable a remote user to cause a denial of service. The CERT/CC team recommends installing patches from your vendor. Until you are able to do so, we urge you to use the workaround described in Section III.B. to reduce the likelihood of a successful attack using Land. There is no workaround for Teardrop. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. - - ---------------------------------------------------------------------------- - - I. Description In recent weeks there has been discussion on public mailing lists about two denial-of-service attack tools, Teardrop and Land. These attack tools have similar effects on some systems (namely, causing the victim machine to crash), but the tools exploit different vulnerabilities. The CERT Coordination Center has received several reports of sites being attacked by either one or both of these tools. It is important to note that it may be necessary for a system administrator to apply separate patches, if they exist, for each attack tool. Topic 1 - Teardrop Some implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability. Topic 2 - Land Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are the same as the destination--i.e., spoofed). Land is a widely available attack tool that exploits this vulnerability. II. Impact Topic 1 - Teardrop Any remote user can crash a vulnerable machine. Topic 2 - Land Any remote user that can send spoofed packets to a host can crash or "hang" that host. III. Solution CERT/CC urges you to immediately apply vendor patches if they are available. You may have to apply different patches for each attack tool. You may want to use the workaround for Land, so please review both Sections A and B below. A. Consult your vendor Appendix A contains information from vendors who provided input for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. It is important to note that you may have to apply different patches for each attack tool. B. Apply the following workaround (Land only) A workaround for the Land attack tool is to block IP-spoofed packets. This workaround does not apply to the Teardrop attack tool because the Teardrop attack does not rely on IP-spoofed packets. Attacks like those of the Land tool rely on the use of forged packets, that is, packets where the attacker deliberately falsifies the origin address. With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can reduce the likelihood of your site's networks being used to initiate forged packets by filtering outgoing packets that have a source address different from that of your internal network. Currently, the best method to reduce the number of IP-spoofed packets exiting your network is to install filtering on your routers that requires packets leaving your network to have a source address from your internal network. This type of filter prevents a source IP spoofing attack from your site by filtering all outgoing packets that contain a source address from a different network. A detailed description of this type of filtering is available in the Internet Draft "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing" by Paul Ferguson of Cisco Systems, Inc. and Daniel Senie of Blazenet, Inc. Note that although this document is labeled as an IETF "working draft," the content is complete and it is being proposed as an Informational RFC. We recommend it to both Internet Service Providers and sites that manage their own routers. The document is currently available at http://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Cisco Systems ============= Topic 1 - Teardrop No feedback. Topic 2 - Land IOS/7000 software, Catalyst 5xxx and 29xx LAN switches, BPX and IGX WAN switches and AXIS shelf appear to be vulnerable. PIX firewall and Centri firewall are not vulnerable. For more information reference URL: http://www.cisco.com/warp/public/770/land-pub.shtml Digital Equipment Corporation ============================= This reported problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software. The FreeBSD Project =================== Topic 1 - Teardrop CSRG 4.4 is not vulnerable. Topic 2 - Land No feedback. Hewlett-Packard Corporation =========================== HP is vulnerable, patches in process. Watch for HP Security Bulletin to be issued. IBM Corporation =============== Topic 1 - Teardrop AIX is not vulnerable. Topic 2 - Land AIX is not vulnerable. Microsoft Corporation ===================== Topic 1 - Teardrop Windows NT 4.0 with SP 3 and post SP 3 fixes applied and Windows 95 with the appropriate patch are not vulnerable. Patch information is available at URL: ftp://ftp.microsoft.com/bussys/winnt/kb/Q154/1/74.TXT Topic 2 - Land Windows NT 4.0 with the appropriate patch is not vulnerable. Patch information is available at URL: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/land-fix/Q165005.txt Windows 95 without the WinSock 2.0 Update is not vulnerable. Patch information is available at URL: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/land-fix/Q177539.TXT NCR Corporation =============== Topic 1 - Teardrop NCR TCP/IP implementation is not vulnerable. Topic 2 - Land No feedback. The NetBSD Project ================== Topic 1 - Teardrop Versions 1.2 and above are not vulnerable. Topic 2 - Land No feedback. Red Hat Software ================ Topic 1 - Teardrop Linux is not vulnerable. Topic 2 - Land Linux is not vulnerable. - - --------------------------------------------------------------------------- The CERT Coordination Center thanks Paul Ferguson and Daniel Senie for providing information on network ingress filtering. - - ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information - - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - - --------------------------------------------------------------------------- Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. *CERT is registered in the U.S. Patent and Trademark Office. - - --------------------------------------------------------------------------- This file: ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history Dec. 16, 1997 - Added vendor information for Digital Equipment Corporation and Hewlett-Packard. - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNJazr3VP+x0t4w7BAQGl6gP/SUYR7d5SBwsDdNN9Uk+V9e6qGdu/FPci MmZfHozQHo7F3owbn+dlXxy+IHgZMMFUoyu8brI+zINjtqe/D2KHVwZ/7p2UsLWs /hEquXNAwnuJLq4qlt0PhaXDTkKcD5I5mXrmAhHaq3+K6HKzZoQtWGMLzN/BFnIi 68OS89tN400= =7vK0 - -----END PGP SIGNATURE----- [End of CERT/CC Advisory]