DoS attack in MS - Proxy 2.0

From: Mnemonix (mnemonixat_private)
Date: Fri Oct 09 1998 - 07:48:07 PDT

Next message: Alexis POLOZOV: "DU 4.0D cdfs bug : xcd eject CDROM, even mounted."

Previous message: duke: "Re: buffer overflow in dbadmin"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear All,


MS-Proxy 2.0 server is susceptible to a massive Denial of Service attack.
The reason this works seems to be a bug whereby in some instances if a
client connection to the proxy server is aborted the connection the proxy
server has made to the remote server is not RESET. This seems to happen in
ftp requests .Consequently, an attacker can make an HTTP GET ftp:// request
to the Web Proxy Service to the Chargen service (TCP port 19) on a remote
host ("GET ftp://some.server.com:19/ HTTP/1.0\n\n") and abort the
connection they have made to the Proxy before a response is received from
the proxy server. Proxy will keep the connection it has made to the remote
server open and continues to receive data ad infinitum. This eventually
leads to the inetinfo.exe process running at 100% and a continuous rise in
memory usage. After 25 minutes memory usage had risen from 5000k to 37000k.
This was tested on NT Server 4 (SP 3 + Hotfixes), IIS 3.0 and MS Proxy 2.0
with a 33.6 kps connection to the 'Net.

It must also be noted that this may not even be an attack - if a user
decides through his web browser to download a 40Mb file that is linked to
from an
A HREF="ftp://some.server.com/bigfile.exe" and then clicks STOP pn his/her
browser before Proxy has responded this will have the same effect.

Whilst in this state, the Web Proxy Service will not stop from Internet
Service Manager. You have to use the NT Resource Kit's kill.exe and kill it
off.

To enable "damage-limitation":
        a) Make sure that only trusted and valid users can use MS-Proxy's
services.
        b) Limit outbound traffic to services you need for employees to do their
job.
                ie Don't just allow all outbound traffic through the packet filter.
        c) Deny any IP address on your internal network in the Domain Filters Tab
                just in case an internal user bounces this back into the inside.

I'd suggest though, that MS produce a fix that makes sure if the client
connection is aborted
so to is the proxy-to-remote-server connection is aborted too, because the
above instructions
may not be viable for some customers.

Cheers and l8r
Mnemonix
http://www.diligence.co.uk
http://www.infowar.co.uk/mnemonix

Next message: Alexis POLOZOV: "DU 4.0D cdfs bug : xcd eject CDROM, even mounted."
Previous message: duke: "Re: buffer overflow in dbadmin"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:08 PDT