Help and Support
 

powered byLive Search

Denial of Service Attack Against WinNT Simple TCP/IP Services

View products that this article applies to.
Article ID:154460
Last Review:November 1, 2006
Revision:2.1
This article was previously published under Q154460

SYMPTOMS

As your computer is being attacked there may be a jump in bandwidth utilization on a subnet containing Windows NT computers and performance may suffer. A network analyzer shows a large amount of UDP traffic, typically from port 19 (chargen).

Back to the top

CAUSE

A malicious attack may be mounted against Windows NT computers with the Simple TCP/IP Services installed. The attack consists of a flood of UDP datagrams sent to the subnet broadcast address with the destination port set to 19 and a spoofed source IP address. The Windows NT computers running Simple TCP/IP services respond to each broadcast, creating a flood of UDP datagrams.

Back to the top

RESOLUTION

Windows NT TCP/IP, Windows Sockets, and Simple TCP/IP services have been modified to be more attack resistant. Windows Sockets now supports a new socket option, SO_BROADCAST, that can be set to allow the recvfrom() call to pass broadcast datagrams to the application. The default for this option is OFF. Previous implementations passed broadcasts datagrams to any Windows Sockets application that issued a recvfrom() call. Additionally, the chargen service and other Simple TCP/IP services have been modified to drop any datagrams that have the source port equal to the destination port to prevent "looping" attacks.

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 (http://support.microsoft.com/kb/152734/EN-US/) How to Obtain the Latest Windows NT 4.0 Service Pack



For your convenience, the English version of this post-SP3 hotfix has been posted to the following Internet location. However, Microsoft recommends that you install Windows NT 4.0 Service Pack 4 to correct this problem.

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/) hotfixes-postSP3/simptcp-fix

NOTE: An updated version of this hotfix was posted on August 15, 1997.

Back to the top

STATUS

Microsoft has confirmed this problem could result in some degree of security vulnerability in Windows NT version 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

Back to the top

APPLIES TO
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows NT Workstation 4.0 Developer Edition
Microsoft Windows NT Server 4.0 Standard Edition

Back to the top

Keywords: 
kbbug kbfile kbfix kbnetwork KB154460

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.