[unisog] MS alg.exe listening on tcp

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Mon Apr 10 03:54:35 GMT 2006

On Mon, 10 Apr 2006 09:45:08 +1000, Bradley Ellis said:
> E.g.: the NTP port in use by the Windows time service - would be
> accessible from the local machine - but not the network.

>   Proto  Local Address          Foreign Address        State           PID
>   UDP          *:*                                    1212

This requires some additional checking.  I've come across more than one
TCP stack that *would* accept a packet from an external interface, if it
showed up with the destination machine's own MAC address and a destination
address of - as a result, it's possible for another machine on the
subnet to craft a packet that would be accepted.  If there's any boxes on
that subnet that will accept and forward a source-routed packet, the attack
is even possible from off-subnet.

(Hint - how many times have we seen 'land' attacks?)

It's not that big a deal for port 123 - but it could be interesting for
other UDP ports bound to  For TCP, about all you can do is
set source and dest both to and set the ports for a LAND attack,
unless you're *really* good at predicting ISN's ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060409/d4df0011/attachment.bin

More information about the unisog mailing list