DOCUMENT:Q154460

TITLE   :Denial of Service Attack Against WinNT Simple TCP/IP Services

PRODUCT :Microsoft Windows NT

PROD/VER:4.0

OPER/SYS:WINDOWS

KEYWORD :kbbug4.00 kbfile kbfix4.00 kbnetwork NTSrvWkst nttcp



--------------------------------------------------------------------------

The information in this article applies to:



 - Microsoft Windows NT Workstation version 4.0

 - Microsoft Windows NT Server version 4.0

--------------------------------------------------------------------------



SYMPTOMS

========



As your computer is being attacked there may be a jump in bandwidth

utilization on a subnet containing Windows NT computers and performance may

suffer. A network analyzer shows a large amount of UDP traffic, typically

from port 19 (chargen).



CAUSE

=====



A malicious attack may be mounted against Windows NT computers with the

Simple TCP/IP Services installed. The attack consists of a flood of UDP

datagrams sent to the subnet broadcast address with the destination port

set to 19 and a spoofed source IP address. The Windows NT computers running

Simple TCP/IP services respond to each broadcast, creating a flood of UDP

datagrams.



RESOLUTION

==========



Windows NT TCP/IP, Windows Sockets, and Simple TCP/IP services have been

modified to be more attack resistant. Windows Sockets now supports a new

socket option, SO_BROADCAST, that can be set to allow the recvfrom() call

to pass broadcast datagrams to the application. The default for this option

is OFF. Previous implementations passed broadcasts datagrams to any Windows

Sockets application that issued a recvfrom() call. Additionally, the

chargen service and other Simple TCP/IP services have been modified to drop

any datagrams that have the source port equal to the destination port to

prevent "looping" attacks.



To resolve this problem, obtain the hotfix below, or wait for the next

service pack.



This hotfix has been posted to the following Internet location:



   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/

   hotfixes-postSP3/simptcp-fix



STATUS

======



Microsoft has confirmed this to be a problem in Windows NT version 4.0.

A supported fix is now available, but has not been fully regression-tested

and should be applied only to systems experiencing this specific problem.

Unless you are severely impacted by this specific problem, Microsoft

recommends that you wait for the next Service Pack that contains this fix.

Contact Microsoft Technical Support for more information.



Additional query words: 4.00 prodnt chargen attack



============================================================================



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS

ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES

OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO

EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR

ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,

CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF

MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION

OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES

SO THE FOREGOING LIMITATION MAY NOT APPLY.

