Help and Support

Multiple Connection Requests Promote Denial of Service Attack

View products that this article applies to.
Article ID:238600
Last Review:November 1, 2006
Revision:3.2
This article was previously published under Q238600
On This Page

SYMPTOMS

When a request to open a new terminal connection is received by a Terminal Server computer, the server undertakes a resource-intensive series of operations to prepare for the connection. The server performs these operations before authenticating the request, thereby allow an attacker to mount a denial of service attack by levying a large number of connection requests and consuming all memory on the Terminal server.

This vulnerability could be exploited remotely if connection requests are not filtered. In extreme cases, the server could crash in the face of such an attack; in other cases, normal processing would return when the attack ceased. The patch works by causing the server to require authentication before processing the connection request.

Back to the top

CAUSE

This problem occurs because during the connection setup, there is no control over CPU resource usage. Simultaneous multiple connection requests can prevent the server from responding to other connection requests.

Back to the top

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows NT 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 (http://support.microsoft.com/kb/152734/) How to obtain the latest Windows NT 4.0 service pack

Back to the top

WORKAROUND

To work around this problem, you can filter Transmission Control Protocol (TCP) packets. Terminal Server monitors connection requests on port 3389. If you create a filter that allows only specific TCP/IP addresses or networks to gain access to the Terminal server, it may be possible to prevent this condition from occurring.

For additional information about TCP filters, click the article numbers below to view the articles in the Microsoft Knowledge Base:
169548 (http://support.microsoft.com/kb/169548/EN-US/) Using Proxy Server with Routing and Remote Access

166371 (http://support.microsoft.com/kb/166371/EN-US/) NT 4.0 Does Not Filter Ports Destined for Remote Segments

187628 (http://support.microsoft.com/kb/187628/EN-US/) Using Telnet to Test Port 3389 Functionality

191146 (http://support.microsoft.com/kb/191146/EN-US/) How to Create a DMZ Network with Proxy Server 2.0

Back to the top

STATUS

Microsoft has confirmed that this is a problem in Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Microsoft Windows NT 4.0 Service Pack 5.

Back to the top

MORE INFORMATION

For more information concerning Windows NT and security issues, please visit the following Microsoft Web site:
http://www.microsoft.com/security/ (http://www.microsoft.com/security/)

Back to the top

APPLIES TO
Microsoft Windows NT Server 4.0, Terminal Server Edition

Back to the top

Keywords: 
kbhotfixserver kbqfe kbbug kbfix kbnetwork kbqfe KB238600

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.