Multiple Connection Requests Promote Denial of Service Attack

When a request to open a new terminal connection is received by a Terminal Server computer, the server undertakes a resource-intensive series of operations to prepare for the connection. The server performs these operations before authenticating the request, thereby allow an attacker to mount a denial of service attack by levying a large number of connection requests and consuming all memory on the Terminal server.

This vulnerability could be exploited remotely if connection requests are not filtered. In extreme cases, the server could crash in the face of such an attack; in other cases, normal processing would return when the attack ceased. The patch works by causing the server to require authentication before processing the connection request.

This problem occurs because during the connection setup, there is no control over CPU resource usage. Simultaneous multiple connection requests can prevent the server from responding to other connection requests.

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows NT 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

To work around this problem, you can filter Transmission Control Protocol (TCP) packets. Terminal Server monitors connection requests on port 3389. If you create a filter that allows only specific TCP/IP addresses or networks to gain access to the Terminal server, it may be possible to prevent this condition from occurring.

For additional information about TCP filters, click the article numbers below to view the articles in the Microsoft Knowledge Base:

Microsoft has confirmed that this is a problem in Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Microsoft Windows NT 4.0 Service Pack 5.

For more information concerning Windows NT and security issues, please visit the following Microsoft Web site: