One small clarification: At 11:51 AM 8/9/99 -0400, X-Force wrote: >The ISS X-Force has discovered a denial of service attack against >Windows NT Server 4.0, Terminal Server Edition. This vulnerability >allows a remote attacker to quickly consume all available memory on a >Windows NT Terminal Server, causing a significant disruption for users >currently logged into the terminal server, and preventing any new terminal >connections from being successfully completed. This isn't precisely correct. The problem is that the attack will consume about 1MB of RAM per connection. If you have a machine with 1GB, and it is capped to allow 50 users to connect, a worst-case scenario is that the machine will now be running with a mere 950 MB for the users that are already on the box. Under these conditions, the existing users probably won't notice the attack. New users will be hindered in their connection (not prevented), as they are competing with the attacker for new slots - they might get one before the attack app managed to get the timed out connection - at least that's the way it worked when I tested this. OTOH, if you have a 50 user limit on a machine with 64MB of RAM, you'll experience a pretty severe disruption, although I don't think I'd want to be on that machine with more than a few legitimate users to begin with. So essentially, if you've got the user limit capped at a value where there is > 1MB RAM available per user, then "all available memory" won't get consumed, and existing users won't experience a significant disruption. I believe Dave Meltzer was doing his testing with a server that had a fairly small amount of RAM. I'd also note that unless someone is spoofing the TCP connections, the IP of the attacker is going to show clearly in netstat -a. That said, I'd upgrade any Terminal Server with the patch, and make sure that my firewall rules excluded 3389, unless I wanted to explicitly allow people to connect to terminal server from the internet. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:49 PDT