Dear All, MS-Proxy 2.0 server is susceptible to a massive Denial of Service attack. The reason this works seems to be a bug whereby in some instances if a client connection to the proxy server is aborted the connection the proxy server has made to the remote server is not RESET. This seems to happen in ftp requests .Consequently, an attacker can make an HTTP GET ftp:// request to the Web Proxy Service to the Chargen service (TCP port 19) on a remote host ("GET ftp://some.server.com:19/ HTTP/1.0\n\n") and abort the connection they have made to the Proxy before a response is received from the proxy server. Proxy will keep the connection it has made to the remote server open and continues to receive data ad infinitum. This eventually leads to the inetinfo.exe process running at 100% and a continuous rise in memory usage. After 25 minutes memory usage had risen from 5000k to 37000k. This was tested on NT Server 4 (SP 3 + Hotfixes), IIS 3.0 and MS Proxy 2.0 with a 33.6 kps connection to the 'Net. It must also be noted that this may not even be an attack - if a user decides through his web browser to download a 40Mb file that is linked to from an A HREF="ftp://some.server.com/bigfile.exe" and then clicks STOP pn his/her browser before Proxy has responded this will have the same effect. Whilst in this state, the Web Proxy Service will not stop from Internet Service Manager. You have to use the NT Resource Kit's kill.exe and kill it off. To enable "damage-limitation": a) Make sure that only trusted and valid users can use MS-Proxy's services. b) Limit outbound traffic to services you need for employees to do their job. ie Don't just allow all outbound traffic through the packet filter. c) Deny any IP address on your internal network in the Domain Filters Tab just in case an internal user bounces this back into the inside. I'd suggest though, that MS produce a fix that makes sure if the client connection is aborted so to is the proxy-to-remote-server connection is aborted too, because the above instructions may not be viable for some customers. Cheers and l8r Mnemonix http://www.diligence.co.uk http://www.infowar.co.uk/mnemonix
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:08 PDT