From xforce@iss.net Wed Aug 11 04:20:03 1999
From: X-Force <xforce@iss.net>
Resent-From: mea culpa <jericho@dimensional.com>
To: alert@iss.net
Resent-To: jericho@attrition.org
Cc: X-Force <xforce@iss.net>
Date: Mon, 9 Aug 1999 11:31:33 -0400 (EDT)
Subject: ISSalert: ISS Security Advisory: Denial of Service Attack Against Windows NT Terminal Server


TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----


ISS Security Advisory
August 9, 1999

Denial of Service Attack Against Windows NT Terminal Server

Synopsis:

The ISS X-Force has discovered a denial of service attack against
Windows NT Server 4.0, Terminal Server Edition.  This vulnerability
allows a remote attacker to quickly consume all available memory on a
Windows NT Terminal Server, causing a significant disruption for users
currently logged into the terminal server, and preventing any new terminal
connections from being successfully completed.

Recommended Action:
Network administrators can protect internal systems from external attack
by creating a packet filter of the form:
    - Prevent all incoming packets destined for TCP port 3389

If you have a legitimate need for terminal server connections to be made
from outside your network, you should limit access to TCP port 3389 to
only the external IP addresses or networks that have a legitimate reason
to connect.

The fix for this problem is available at
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40tse/hotfixes
- - -postSP4/Flood-fix/

The Microsoft bulletin describing this issue is available at
http://www.microsoft.com/security/bulletins/ms99-028.asp.

Description:
Windows NT Server 4.0 Terminal Server Edition listens for terminal
connections on TCP port 3389.  Once a TCP connection is made to this port,
the terminal server will utilize resources in order to handle the new
client connection and authenticate the connection.  The manner this is
done, however, requires significant server resources before any
authentication takes place and without any throttling of resource
utilization.

Specifically, a remote attacker can quickly cause a server to reach full
memory utilization by creating a large number of normal TCP connections
to port 3389.  Individual connections will timeout, but a low bandwidth
continuous attack will maintain a terminal server at maximum memory
utilization and prevent new connections from a legitimate source
from taking place.  Legitimate new connections will fail at this point
with an error of either a connection timeout, or the terminal server has
ended the connection.

In testing, a long running attack of this type has been able to
sporadically crash the terminal server executable and permanently maintain
the machine at full memory usage without allowing any new terminal server
connections until the machine was rebooted.

Additional Information:

This vulnerability was primarily researched by David J. Meltzer of the ISS 
X-Force.

________

About ISS:

ISS leads the market as the source for e-business risk management solutions,
serving as a trusted security provider to thousands of organizations
including 21 of the 25 largest U.S. commercial banks and more than 35
government agencies. With its Adaptive Security Management approach, ISS
empowers organizations to measure and manage enterprise security risks
within Intranet, extranet and electronic commerce environments. Its
award-winning SAFEsuite(r) product line of intrusion detection,
vulnerability management and decision support solutions are vital for
protection in today's world of global connectivity, enabling organizations
to proactively monitor, detect and respond to security risks. Founded in
1994, ISS is headquartered in Atlanta, GA with additional offices
throughout the U.S. and international operations in Australia/New Zealand,
Belgium, France, Germany, Japan, Latin America and the UK. For more
information, visit the ISS Web site at www.iss.net or call 800-776-2362.
Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is
hereby granted for the redistribution of this Alert electronically.  It is
not to be edited in any way without express consent of the X-Force.  If
you wish to reprint the whole or any part of this Alert in any other
medium excluding electronic medium, please e-mail xforce@iss.net
forpermission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net
of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBN67ziDRfJiV99eG9AQFDggP+N4t+n/UhAxGiBRJDGxjFeJSgfbjbDMd7
m6BVFhe4RSDsmLbKoHnK+8J9bM5RoiWMiY6pMe2YUcfQfRySwz3nfmnzpxXjoUmv
Tv7aWiSvqcc6OVHS7/7tKMzxL49g/6PFPUVqRDhkKrrWbdhTW9uKejn77OfY9l2r
8ckrqQ4k3l4=
=4Kwx
-----END PGP SIGNATURE-----