|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: BindView Security Advisory: jolt2 - Remote DoS against NT, W2K, 9x
From: BindView Security Advisory (tsabin
RAZOR.BINDVIEW.COM)Date: Fri May 19 2000 - 19:22:10 CDT
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-029)"
- Previous message: rain forest puppy: "RFP2K05: NetProwler vs. RFProwler"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
BindView Security Advisory
--------
Jolt2 - Remote Denial of Service attack against Windows 2000, NT4, and Win9x
Issue Date: May 19, 2000
Contact: <tsabinrazor.bindview.com>
Topic:
Fragmented IP packets cause denial of service
Overview:
Sending large numbers of identical fragmented IP packets to a
Windows 2000 or NT4 host may cause the target to lock-up for the
duration of the attack.
Affected Systems:
Windows 2000, Windows NT4, and Win9x.
Impact:
The CPU utilization on the target goes to 100% for the duration of the
attack. This causes both the UI and network interfaces to lock up.
During testing a target was observed to BSOD, but this was not
reproducible, and it's not clear that it was actually related to the
attack.
Details:
Send identical fragmented IP packets to the target at the rate of
approximately 150 packets per second. The contents of the packet do
not appear to matter greatly. Our testing was mostly done with ICMP
packets, however the problem is not specific to ICMP.
Workarounds:
Filter fragmnented IP packets at your routers, if possible.
Recommendations:
Apply Microsoft's hotfix.
Credits:
This vulnerability was discovered by Dmitri Netes of BindView's
HackerShield development team.
CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2000-0305 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
References:
Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/ms00-029.asp
Microsoft's Hotfix:
Windows NT 4.0 Workstation, Server and Server, Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20829
Windows NT 4.0 Server, Terminal Server Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20830
Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20827
Windows 95:
http://download.microsoft.com/download/win95/update/8070/w95/EN-US/259728USA5.EXE
Windows 98:
http://download.microsoft.com/download/win98/update/8070/w98/EN-US/259728USA8.EXE
Microsoft's Knowledge Base article:
http://www.microsoft.com/technet/support/kb.asp?ID=Q259728
(may take a couple days to appear)
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-029)"
- Previous message: rain forest puppy: "RFP2K05: NetProwler vs. RFProwler"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]