OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Windows DoS code (jolt2.c)
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Fri May 26 2000 - 11:16:55 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For proper details on this attack check out the advisory sent by
BindView RAZOR Security Team at http://razor.bindview.com or in the
Win2K Security Advice Archives.

Essentially, the Jolt2 DoS is done by sending identical fragmented IP
packets to the target at the rate of
approximately 150 packets per second. The contents of the packet do
not appear to matter greatly. When RAZOR Team discovered this
problem, their tests where done with ICMP packets only but they do
suspect that the problem is not specific to ICMP.

RAZOR suggests filtering fragmented IP packets at the router and of
course Microsoft has released a hotfix.

Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/ms00-029.asp

I hope this helps. The original RAZOR Advisory was posted to the
mailing list.

Regards;

Steve Manzuik
Moderator
Win2K Security Advice

>
> I had the same result, in testing out internal 10meg lan took
> a beating while the code was running.
>
> This can do serious damage to NT Web Servers !=20
>
> Does this code only attack one port ? It appears to allow a port
> to be specified -
>
> What is the concept behind this exploit ?
>
> Craig
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOS6jcDV9eGvIXwM6EQKfEwCfYRYql1vGRToxMLnhUkaRZ9jfs9sAoIef
Fm5DaWW4neG4rZWshXd9oV95
=EQIF
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net