Bugtraq mailing list archives
Re: ISS Security Advisory: Denial of Service Attack Against Windows NT Terminal Server
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 10 Aug 1999 08:54:04 -0700
One small clarification: At 11:51 AM 8/9/99 -0400, X-Force wrote:
The ISS X-Force has discovered a denial of service attack against Windows NT Server 4.0, Terminal Server Edition. This vulnerability allows a remote attacker to quickly consume all available memory on a Windows NT Terminal Server, causing a significant disruption for users currently logged into the terminal server, and preventing any new terminal connections from being successfully completed.
This isn't precisely correct. The problem is that the attack will consume about 1MB of RAM per connection. If you have a machine with 1GB, and it is capped to allow 50 users to connect, a worst-case scenario is that the machine will now be running with a mere 950 MB for the users that are already on the box. Under these conditions, the existing users probably won't notice the attack. New users will be hindered in their connection (not prevented), as they are competing with the attacker for new slots - they might get one before the attack app managed to get the timed out connection - at least that's the way it worked when I tested this. OTOH, if you have a 50 user limit on a machine with 64MB of RAM, you'll experience a pretty severe disruption, although I don't think I'd want to be on that machine with more than a few legitimate users to begin with. So essentially, if you've got the user limit capped at a value where there is
1MB RAM available per user, then "all available memory" won't get
consumed, and existing users won't experience a significant disruption. I believe Dave Meltzer was doing his testing with a server that had a fairly small amount of RAM. I'd also note that unless someone is spoofing the TCP connections, the IP of the attacker is going to show clearly in netstat -a. That said, I'd upgrade any Terminal Server with the patch, and make sure that my firewall rules excluded 3389, unless I wanted to explicitly allow people to connect to terminal server from the internet. David LeBlanc dleblanc () mindspring com
Current thread:
- Re: ISS Security Advisory: Denial of Service Attack Against Windows NT Terminal Server David LeBlanc (Aug 10)