Check or Attack Name: land

The land exploit consists of a forged packet sent to a target machine, with identical source and destination addresses, and identical source and destination ports. This type of packet is known to crash many machines.

Users should contact their vendors for fix information, NT users should follow the instructions below.

Windows NT: Apply the latest Windows NT 4.0 Service Pack:

1. Open a web browser.
2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.
3. Find the installation program you downloaded to your computer.
4. Double-click the program icon to start the installation.
5. Follow the installation directions.

—OR—

Windows NT 4.0 Service Pack 3 (SP3) users must apply the post-SP3 teardrop2-fix patch available from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/teardrop2-fix/ (which supersedes the land patch).

To apply teardrop2, follow these steps:

1. Open a web browser.
2. Go to 'ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/teardrop2-fix/.
3. View the readme.txt for patch version and execution.
4. Download the patch appropriate for your system.
5. Locate and execute the file you downloaded to your system.
6. Follow the installation directions.

—AND—

Applying router or firewall rules that deny all incoming packets claiming to originate from the internal network is good practice, and will stop this attack.

Microsoft Knowledge Base Article Q179129, STOP 0x0000000A or 0x00000019 Due to Modified Teardrop Attack, http://support.microsoft.com/support/kb/articles/q179/1/29.asp

Microsoft Knowledge Base Article Q165005, Windows NT Slows Down Because of Land Attack, http://support.microsoft.com/support/kb/articles/q165/0/05.asp

SCO Security Bulletin 98:01, IP-based Denial of Service Attacks, ftp://ftp.sco.com/SSE/security_bulletins/SB.98:01a

Microsoft Knowledge Base Article Q179129, STOP 0x0000000A or 0x00000019 Due to Modified Teardrop Attack, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/teardrop2-fix/Q179129.txt

Microsoft Knowledge Base Article Q165005, Windows NT Slows Down Due to Land Attack, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/archive/land-fix/Q165005.txt

Hewlett-Packard Security Bulletin HPSBUX9801-076, Security Vulnerability with land on HP-UX, http://us-support.external.hp.com/

CERT Advisory CA-97.28, IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html