-----Original Message----- From: Jason Garms Sent: Wednesday, March 04, 1998 12:53 AM To: 'ntbugtraqat_private' Subject: Update on wide-spread NewTear Denial of Service attacks First, many thanks to the many organizations that assisted today in gathering information on the rash of denial of service attacks that have hit a number of sites on the Internet in the last 24-48 hours. Three important organizations for overall coordination have been CIAC, CERT and NTBUGTRAQ. That's in addition to the numerous customers who provided assistance. Thank you. We've gotten network traces for in-process attacks, as well as NT crash dumps from machines that were attacked. These files came from a number of different customers who were affected by these denial of service attacks over the last 24 to 48 hours. We've carefully reviewed the network traces, and analyzed the crash dumps, and I'd like to share what we found. The network sniffs all indicated a two-packet sequence using UDP fragmentation to exploit a known vulnerability in unpatched Windows 95 and Windows NT TCP/IP stacks. The traces all indicate the now infamous "DNS" packet, which has little significance as an actual DNS packet except that it uses the DNS port address. It's really the setup packet for the fragmentation attack. The second packet, which is a malformed UDP packet by many regards, completes the attack and places the unpatched TCP/IP stack in a unstable state. The DNS port may have been chosen because many sites do not filter it on their firewalls or routers. However, this is not a DNS issue in any way, since the corruption is cause in the TCP/IP stack by the UDP assembly. We replayed these packets against unpatched Windows NT and Windows 95 machines and got the same results as have been reported on in various forums-mostly blue screens. However, there have been reports of machines that would simply reboot without first blue screening. We were able to duplicate that scenario on Windows NT 4.0 systems running only SP1. Other unpatched systems would blue screen. However, these replayed attacks had no effect on fully patched Windows NT 4.0 SP3 systems (all hotfixes). The primary fix that is important here is the "NewTear/Bonk/Boink" update that was released in January. We also reviewed the crash dumps from a number of different sources. None of these affected machine had the NewTear/Bonk/Boink patch installed. Analysis of the dump indicated that the cause of failure in all cases was symptomatic of the corruption caused by fragmented UDP packets, which was addressed by the NewTear/Bonk/Boink update. Most sites we were in contact with that were the subject of repeated attacks were no longer affected after installing the update. We have had no reports of fully patched systems being affected by this rash of attacks. We have posted some information on http://www.microsoft.com/security on this rash of attacks. From everything we've been able to determine, applying this update is critical to preventing this problem. The information this issue at http://www.microsoft.com/security has links to the NewTear/Bonk/Boink hotfix. This hotfix is available for Windows NT 4.0 SP3, Windows NT 3.51 SP5, Windows 95 Winsock 1.x and Windows 95 Winsock 2.x systems. (Note that the version for Windows 95 depends on the Winsock version. Last week we released a complete refresh of the Windows 95 Winsock 2 stack, which includes the NewTear fix. This information is referenced from the NewTear information on http://www.microsoft.com/security) Thanks, -JasonG Jason Garms Product Manager Windows NT Security Microsoft Corporation
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:54 PDT