Re: UPNP Denial of Service

["Patrick Chambet" <patrick.chambet () edelweb fr>]

The UPnP DoS code does what it is supposed to do, but that doesn't seem
to bother Windows XP: the CPU utilization reaches 80% at the very
maximum and returns to a stable state as soon as the attack stops.
The same level of CPU utilization is reached with other kinds of
attacks, like fragmented UDP packets or other services flooding for
example.

Extra data:
- Server: Windows XP Pro US
- Client: Linux RH 7.1
- Network: 10 Mb LAN

Maybe Windows ME leads to other results.

___________________________________________
Patrick Chambet - MCP
IT Security Consulting
EdelWeb - ON-X Consulting Group
http://www.edelweb.fr - http://www.on-x.com


> We develop a code baseline to test the UPNP DOS. The dos consists in
> sending a udp packet to port 1900 with a NOTIFY request. This request
> has a URL that XP uses to open a tcp connection. The XP does not
> sanitize this request so whatever URL and port could be specified.
Once
> the tcp connection is opened, a chargen code fills the XP memory and
the
> machine gets into an unstable state with a 100% of cpu utilization.
> Gabriel Maggiotti, Fernando Oubiña
>
>  <<chargen.c>>  <<upnp_udp.c>>