Source: cve@mitre.org
Land IP denial of service.
Land Attack (CVE-1999-0016) is a classic denial-of-service (DoS) vulnerability that can render a target system unresponsive. By sending a specially crafted TCP packet with the source and destination IP addresses and ports set to the same values, attackers can overwhelm the target, leading to a system crash or network outage. This attack is particularly effective against older systems and can disrupt critical services.
Step 1: Packet Crafting: The attacker crafts a TCP packet.
Step 2: Source Spoofing: The attacker sets the source IP address and source port in the TCP header to be the same as the target's IP address and a specific port.
Step 3: Destination Matching: The attacker sets the destination IP address and destination port in the TCP header to be the same as the target's IP address and the same specific port used in the source.
Step 4: Packet Transmission: The attacker sends the crafted packet to the target system.
Step 5: Processing Loop: The target system receives the packet and, due to the identical source and destination, enters a processing loop, attempting to send the packet to itself.
Step 6: Resource Exhaustion: The processing loop consumes system resources (CPU, memory, network bandwidth), leading to a denial-of-service condition.
Step 7: Service Disruption: The target system becomes unresponsive or crashes, disrupting network services.
Root Cause: The Land attack exploits a flaw in the TCP/IP stack's handling of packets where the source and destination IP addresses and ports are identical. When a system receives such a packet, it can enter an infinite loop or consume excessive resources attempting to process the malformed packet. This typically occurs because the system attempts to send the packet to itself, leading to a resource exhaustion condition. The specific logic flaw varies depending on the operating system and TCP/IP stack implementation, but the core issue is the failure to properly validate the source and destination information before processing the packet. This can lead to a resource exhaustion condition, a system crash, or a network outage.
This vulnerability is primarily a historical concern. It's unlikely to be associated with specific APT groups due to its age and the ease of mitigation. It is not listed in the CISA KEV catalog.
Network Intrusion Detection Systems (NIDS) can be configured to detect packets with identical source and destination IP addresses and ports.
Firewall logs can be analyzed for packets with suspicious characteristics.
Security Information and Event Management (SIEM) systems can be used to correlate network traffic patterns and identify potential Land attack attempts.
Packet capture tools (e.g., tcpdump, Wireshark) can be used to analyze network traffic and identify malformed packets.
Implement a firewall and configure it to drop packets with identical source and destination IP addresses and ports.
Ensure that the operating system and network stack are up-to-date with the latest security patches.
Monitor network traffic for suspicious patterns.
Implement rate limiting to prevent excessive traffic from a single source.
Use intrusion detection and prevention systems (IDS/IPS) to detect and block malicious traffic.