Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Preventing Distributed Denial-of-Service Attacks that Use the Universal Plug-and-Play Service
Article ID: 315056 - View products that this article applies to.
This article was previously published under Q315056
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/256986/EN-US/ )Description of the Microsoft Windows Registry
The patch that is provided in Microsoft Security Bulletin MS01-059 introduces new functionality to limit the ability of a Universal Plug and Play-capable computer to be used in distributed denial-of-service attacks. The purpose of this article is to list the new functions and describe how to use them most effectively.
NOTE: The information in this article applies to Windows 98-based and Windows 98 Second Edition-based computers if the Internet Connection Sharing client from Windows XP has been installed.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Regulating Device Description Downloads Based on Network ScopeThe patch introduces the ability to limit the lengths to which the Universal Plug and Play (UPnP) service can go to download a device description. An administrator can use this functionality to cause a patched computer to attempt to download a device description only if it resides in a predetermined locality on the network. To enable this functionality:
Regulating Device Description Downloads Based on Router HopsYou can use an existing capability to limit where the UPnP service will download device descriptions, based on the number of router hops. To alter this setting (which operates independently of the UPnP Control Point setting):
Port Restrictions for Device Description DownloadsThe patch introduces restrictions on the ports that can be specified for downloading device descriptions. Patched computers do not attempt to download device histories from any port under 1024, except for port 80.
Delay MechanismThe patch also includes a non-configurable delay mechanism that prevents a computer from repeatedly and continuously attempting to download a device description, particularly if the host is on a remote network.
When you start a new download, a patched computer consults two tables. The first provides a maximum delay that is based on the number of failed download attempts from the current host, and whether the host is located on the local network or on an external one. The more failures, and the farther away the host is located, the longer the maximum delay, up to a limit of 4 minutes. The second table provides a maximum delay that is based on the number of downloads already in progress. The more ongoing downloads, the longer the maximum delay, up to a limit of one minute.
The system sums the two delay values that are derived from the tables, and generates a random number between zero and the sum. It then delays that many seconds before attempting the download.
Microsoft Security Bulletin MS01-059To view this security bulletin, please view the following Microsoft Web site: http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx
Article ID: 315056 - Last Review: May 30, 2007 - Revision: 2.5