[prev in list] [next in list] [prev in thread] [next in thread]
List: ntbugtraq
Subject: Update on wide-spread NewTear Denial of Service attacks
From: Jason Garms <jasong () MICROSOFT ! COM>
Date: 1998-03-04 8:53:28
[Download RAW message or body]
First, many thanks to the many organizations that assisted today in
gathering information on the rash of denial of service attacks that have hit
a number of sites on the Internet in the last 24-48 hours. Three important
organizations for overall coordination have been CIAC, CERT and NTBUGTRAQ.
That's in addition to the numerous customers who provided assistance. Thank
you.
We've gotten network traces for in-process attacks, as well as NT crash
dumps from machines that were attacked. These files came from a number of
different customers who were affected by these denial of service attacks
over the last 24 to 48 hours. We've carefully reviewed the network traces,
and analyzed the crash dumps, and I'd like to share what we found.
The network sniffs all indicated a two-packet sequence using UDP
fragmentation to exploit a known vulnerability in unpatched Windows 95 and
Windows NT TCP/IP stacks. The traces all indicate the now infamous "DNS"
packet, which has little significance as an actual DNS packet except that it
uses the DNS port address. It's really the setup packet for the
fragmentation attack. The second packet, which is a malformed UDP packet by
many regards, completes the attack and places the unpatched TCP/IP stack in
a unstable state. The DNS port may have been chosen because many sites do
not filter it on their firewalls or routers. However, this is not a DNS
issue in any way, since the corruption is cause in the TCP/IP stack by the
UDP assembly.
We replayed these packets against unpatched Windows NT and Windows 95
machines and got the same results as have been reported on in various
forums-mostly blue screens. However, there have been reports of machines
that would simply reboot without first blue screening. We were able to
duplicate that scenario on Windows NT 4.0 systems running only SP1. Other
unpatched systems would blue screen. However, these replayed attacks had no
effect on fully patched Windows NT 4.0 SP3 systems (all hotfixes). The
primary fix that is important here is the "NewTear/Bonk/Boink" update that
was released in January.
We also reviewed the crash dumps from a number of different sources. None of
these affected machine had the NewTear/Bonk/Boink patch installed. Analysis
of the dump indicated that the cause of failure in all cases was symptomatic
of the corruption caused by fragmented UDP packets, which was addressed by
the NewTear/Bonk/Boink update. Most sites we were in contact with that were
the subject of repeated attacks were no longer affected after installing the
update.
We have had no reports of fully patched systems being affected by this rash
of attacks.
We have posted some information on http://www.microsoft.com/security
<http://www.microsoft.com/security> on this rash of attacks. From
everything we've been able to determine, applying this update is critical to
preventing this problem. The information this issue at
http://www.microsoft.com/security <http://www.microsoft.com/security> has
links to the NewTear/Bonk/Boink hotfix.
This hotfix is available for Windows NT 4.0 SP3, Windows NT 3.51 SP5,
Windows 95 Winsock 1.x and Windows 95 Winsock 2.x systems. (Note that the
version for Windows 95 depends on the Winsock version. Last week we released
a complete refresh of the Windows 95 Winsock 2 stack, which includes the
NewTear fix. This information is referenced from the NewTear information on
http://www.microsoft.com/security)
Thanks,
-JasonG
Jason Garms
Product Manager
Windows NT Security
Microsoft Corporation
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic