cbcvebase.
CVE-1999-0016
published 2005-03-05

CVE-1999-0016: Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with…

medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
95.67%
99.9th percentile
Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

commandTCP SYN packet with source address == destination address AND source port == destination port
port139
  • Detect LAND attack packets: alert on any TCP SYN packet where the source IP and source port are identical to the destination IP and destination port.
  • On Windows Server 2003 and XP SP2, the exploit only triggers when both TCP and IP checksums are valid/correct — filter for LAND-pattern packets with correct checksums to reduce false negatives.
  • The attack may only be deliverable from the local network segment or via a specially discovered route, since routers may drop the spoofed packets — prioritize monitoring on internal/LAN segments.
  • The exploit also has an IPv6 variant (LandIpV6) that crafts a TCP SYN with src IPv6 == dst IPv6 and src port == dst port over raw Ethernet frames — monitor for IPv6 LAND-pattern packets as well.
  • The imland tool uses IP ID 0x1d1 and window size 512 in its crafted LAND packets — these static field values can be used as additional packet-level signatures.
  • ·Windows Firewall must be disabled for the vulnerability to be exploitable on Windows Server 2003 / XP SP2.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.