Snork Denial of Service Against RPC
Reported September 29, 1998 by Internet Security Systems

VERSIONS AFFECTED

  • Windows NT

DESCRIPTION

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory

September 29, 1998

"Snork" Denial of Service Attack Against Windows NT RPC Service

Synopsis:

The ISS X-Force has been researching a denial of service attack against the Windows NT RPC service. This attack allows an attacker with minimal resources to cause a remote NT system to consume 100% CPU Usage for an indefinite period of time. It also allows a remote attacker to utilize a very large amount of bandwidth on a remote NT network by inducing vulnerable systems to engage in a continuous bounce of packets between all combinations of systems. This attack is similar to those found in the "Smurf" and "Fraggle" exploits, and is known as the "Snork" attack.

This vulnerability exists on Windows NT 4.0 Workstation and Server. All systems with service packs up to and including SP4 RC 1.99 are vulnerable, including any hotfixes released prior to 9/10/98. Patch information is provided below.

Recommended Action:

Microsoft has made a patch available for the "Snork" attack. Patch information is available at http://www.microsoft.com/security/bulletins/ms98-014.htm .

Network administrators can protect internal systems from external attack by adding a rule to a filtering router or firewall of the type:

Deny all incoming UDP packets with a destination port of 135 and a source port of 7,19, or 135. Many firewalls or packet filters may already have more restrictive rulesets which already encompass this filtering rule, in which case the network is already protected from an external "snork" attack. This would include filtering all incoming traffic to UDP port 135. There are NT applications which rely upon legitimate traffic passing between UDP ports 135 on a source and destination machine. If this is the case on your network, it is strongly recommended you apply the Microsoft hot-fix to any systems that allow external access.

Administrators of network intrusion detection systems, including ISS"s RealSecure, can immediately detect snork attempts on their network by adding a filter rule that detects traffic with the following specifications:

Name: Snork
Protocol: UDP
Source Address: Any
Source Port: 135 (additional rules for ports 7 & 19 if desired)
Destination Address: Any
Destination Port: 135

There may be third party software on your network that communicates to the NT RPC service with this source port. If this is the case, you must add the rules listed earlier in this advisory with the source address of those systems that need legitimate source port 135 traffic to pass, specifying that traffic can be passed in the case of a firewall, or to be ignored in the case of an intrusion detection system, in order to maintain the connectivity of those applications.

Description:

In X-Force lab tests, a single UDP packet is able to raise the CPU utilization on a Windows NT system to 100% for a period of 5-120 seconds. A low bandwidth continuous attack of this sort is able to keep the CPU utilization at 100% for an unlimited period of time. This vulnerability can also be exploited as a network bandwidth consuming attack by creating UDP packets that result in a constant packet bounce between all combinations of Windows NT systems on a network. This attack can quickly consume available bandwidth on even a small network. The consumption rate between any two idle Windows NT systems on an idle network is approximately 224/RTT (round-trip time), which translates on a 10Mbps Ethernet to approximately 3.4Mbps of traffic. Increasing the number of systems involved in the packet bounce exponentially increases this traffic, and as collisions occur and packet loss begins the network bandwidth used by this attack very quickly approaches 100%.

Additional Information:

This vulnerability was primarily researched by David Meltzer (davem@iss.net), with assistance from Jon Larimer (jlarimer@iss.net), and David LeBlanc (dleblanc@iss.net), all of the ISS X-Force.

_______

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user"s own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT"s PGP key server and PGP.com"s key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3a

Charset: noconv

iQCVAwUBNhD8CzRfJiV99eG9AQEnLwP8CWKvbPvBkQDFPtDttXesBvca1GdgLmtb
ez4zooqDDGejomkuO3IslI/gK+1cRtUPyJppONXJ/7l2Y0QDhxok7C6KWcjmMj7S
QCSViKsde08f+FGTKPCd3HVb7pD41MaHKZAT1pk7R5N9ee5PhakCyroctHPoCvkb
R4pOi0c3kr8=
=pVE2

-----END PGP SIGNATURE-----

DEMONSTRATION CODE:

The Snork exploit code also needs Libnet

SOLUTION

Knowledge Base Article Q193233:
http://support.microsoft.com/support/kb/articles/q193/2/33.asp

Fix for Windows NT 4.0 x86 version
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/snk-fix/snk-fixi.exe

Fix for Windows NT 4.0 Alpha version
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/snk-fix/snk-fixa.exe

Fix for Windows NT Server 4.0, Terminal Server Edition - This fix will be available shortly. It will be available in the following location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP3/Snk-fix

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by ISS
- Posted on The NT Shop on September 29, 1998