FRAMINGHAM (12/12/97) - It was "Meltman" who wrote Land Attack, the denial-of-service attack codethat has been blowing up routers, servers and desktop computers since it was posted on the Internet right before Thanksgiving.
Technicians at Cisco Systems Inc., like many others in the network industry, have been busy coping with the fallout from Land Attack and would love to get their hands on the havoc-wreaking Meltman. But despite his ominous moniker, in reality Meltman is a 16-year-old Montreal high-school student named Hugo Breton. And though Breton does have regrets about releasing his land.c code to the public, he warned that there are bound to be more such bombshells until the network industry gets a lot smarter about security.
"Network equipment should not be vulnerable to something like Land Attack," said Breton, who also uses the moniker "M3lt" in some of the Usenet groups and chat rooms which form a kind of watering hole where hackers and security professionals uneasily coexist on the Internet.
Officially known as land.c code, Land Attack works by tricking the targeted machine into trying to set up a TCP session with itself. If the machine falls for this form of IP spoofing, it goes into a TCP closed loop and has to be physically rebooted.
A number of security experts, including Chris Klaus, chief technology officer at Internet Security Systems Inc., agree there is no reason a machine would want to talk to itself like this. Systems should be designed to prevent such attacks.
Breton said that when he released Land Attack on the bugtraq Usenet group, he was only aware it would make Windows 95 computers hang up Windows 95. He even messaged Microsoft Corp. about it.
"I can't even use land.c because my service provider in Canada, Videotron.net, prevents IP spoofing," Breton said. "I admit releasing the bug into the public wasn't the most responsible thing to do. Land.c is spreading."
Indeed, it is being used to crash small hosts and as a weapon on Internet Relay Chat (IRC) channels. "The IRC is like a shooting range," and people are using Land Attack to blow each other off "in channel wars," he said.
Breton said he also now is being bombarded with a huge amount of "hate mail and love mail. The hate mailis from systems administrators. They're calling me `stupid,' `dumb,' an `ass - - - -.' " The love mail seems mainly to be from denizens of the Internet who have more destructive tendencies.
Breton said he decided to post land.c because he thought the information about the security vulnerability eventually would leak, and he wanted to take credit for the discovery.
In retrospect, Breton said maybe he should have gone to the newly formed Canadian Computer Emergency Response Team, an organization that, like its U.S. counterpart, tries to provide help in handling security incidents.
To Breton, the impact of Land Attack is clear in one way: "Perhaps this made some people realize they can be the target of such attacks. Some people need to wake up; this kind of attack shouldn't even happen."
For Cisco, whose routers and switches were vulnerable to land.c, the learning process has been painful.
Mike Quinn, Cisco's director of customer assurance who heads a security SWAT team, said Cisco personnel worked around the clock through Thanksgiving to isolate the problem, test equipment and work on fixes.
Cisco sent e-mail alerts to its customers and provided details about the situation on its Web site, though a few mistakes in testing land.c caused Cisco tosay some switches were not vulnerable. Cisco quickly corrected the misstatements.
This week, Cisco had finished creating fixes for most of its product line. Fortunately, Cisco firewalls apparently are not vulnerable to Land Attack.
Network managers who want to obtain the router and switch fixes can get them through the Cisco Connection Online.