Re: ISS Security Advisory: Denial of Service Attack Against

From: David LeBlanc (dleblancat_private)
Date: Tue Aug 10 1999 - 08:54:04 PDT

Next message: Wanderley J. Abreu Jr.: "Some Thoughts About The "So Called" Excel97 ODBC Security"

Previous message: Scott Drassinower: "Re: FlowPoint DSL router vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One small clarification:

At 11:51 AM 8/9/99 -0400, X-Force wrote:

>The ISS X-Force has discovered a denial of service attack against
>Windows NT Server 4.0, Terminal Server Edition.  This vulnerability
>allows a remote attacker to quickly consume all available memory on a
>Windows NT Terminal Server, causing a significant disruption for users
>currently logged into the terminal server, and preventing any new terminal
>connections from being successfully completed.

This isn't precisely correct.  The problem is that the attack will consume
about 1MB of RAM per connection.  If you have a machine with 1GB, and it is
capped to allow 50 users to connect, a worst-case scenario is that the
machine will now be running with a mere 950 MB for the users that are
already on the box.  Under these conditions, the existing users probably
won't notice the attack.  New users will be hindered in their connection
(not prevented), as they are competing with the attacker for new slots -
they might get one before the attack app managed to get the timed out
connection - at least that's the way it worked when I tested this.  OTOH,
if you have a 50 user limit on a machine with 64MB of RAM, you'll
experience a pretty severe disruption, although I don't think I'd want to
be on that machine with more than a few legitimate users to begin with.  So
essentially, if you've got the user limit capped at a value where there is
> 1MB RAM available per user, then "all available memory" won't get
consumed, and existing users won't experience a significant disruption.  I
believe Dave Meltzer was doing his testing with a server that had a fairly
small amount of RAM.

I'd also note that unless someone is spoofing the TCP connections, the IP
of the attacker is going to show clearly in netstat -a.

That said, I'd upgrade any Terminal Server with the patch, and make sure
that my firewall rules excluded 3389, unless I wanted to explicitly allow
people to connect to terminal server from the internet.


David LeBlanc
dleblancat_private

Next message: Wanderley J. Abreu Jr.: "Some Thoughts About The "So Called" Excel97 ODBC Security"
Previous message: Scott Drassinower: "Re: FlowPoint DSL router vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:49 PDT