Subject Denial of service attacks & MS TCP/IP stack Date 05-Mar-98
3c083e5f0d0fbd1588a0e53a0a8044e730c409475387abd0f3dea714e0f4ab2f
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Gert Meijerink Index : S-98-08
Distribution : World Page : 1
Classification: External Version: 1
Subject : Denial of service attacks & MS TCP/IP stack Date : 05-Mar-98
===============================================================================
By courtesy of CERT/CC we received information about denial of service attacks
targeting a vulnerability in the Microsoft TCP/IP stack.
CERT-NL recommends application of the provided patches.
==============================================================================
- - ---------------------------------------------------------------------------
CERT* Summary CS-98.02 - SPECIAL EDITION March 4, 1998
This special edition of the CERT Summary reports denial of service attacks
targeting a vulnerability in the Microsoft TCP/IP stack.
Past CERT Summaries are available from
ftp://ftp.cert.org/pub/cert_summaries/
- - ---------------------------------------------------------------------------
Denial of service attacks targeting Windows 95/NT machines
- - ----------------------------------------------------------
This special edition of the CERT Summary reports denial of service attacks
targeting a vulnerability in the Microsoft TCP/IP stack. We have received
reports from a number of sites and incident response teams indicating that a
large number of machines were affected.
The attacks involve sending a pair of malformed IP fragments which are
reassembled into an invalid UDP datagram. The invalid UDP datagram causes the
target machine to go into an unstable state. Once in an unstable state, the
target machine either halts or crashes. We have received reports that some
machines crashed with a blue screen while others rebooted.
Attack tools known by such names as NewTear, Bonk, and Boink have been
previously used to exploit this vulnerability against individual hosts;
however, in this instance, the attacker used a modified tool to automatically
attack a large number of hosts.
The solution to protect Windows 95 and NT machines from this attack is to
apply the appropriate Microsoft patch. The Microsoft patch, as well as more
information about the vulnerability, can be found in the January 1998
Microsoft Market Bulletin entitled, "New Teardrop-like TCP/IP Denial of
Service Program" available from:
http://www.microsoft.com/security/newtear2.htm
Although the first instance of this attack, which started March 2, 1998
appears to be over, keep in mind that the tools to launch this attack are now
available and we expect to see more incidents of this type.
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IezSYjBqwfc9jEQJZSgCgkeOipEFFjpk8FbbPzqC23PRUa5UAoOwH
GWrrIy9SICIRvxWdFvqZIUQZ
=6l49
-----END PGP SIGNATURE-----