Microsoft DNS Server
Subject to Denial of Service Attack

Reported May 27 ,1997 by Stefan Arentz

Systems Affected

Windows NT 4.0, up to Service Pack 3, running the MS DNS Server

The Problem

Microsoft DNS can be made to crash by redirecting the output of the Chargen service to the MS DNS service. A typical attack might be launched from a system using the following command:

$ telnet ntbox 19 | telnet ntbox 53

The above command is shown as seen on a UNIX command line. Once the command is issued, a telnet session is opened on port 19 (chargen) of the ntbox, and all output is redirected to a second telnet session opened on port 53 (dns) of the same ntbox. Launching the attack in this manner may subject the attacker to the same barrage of packets the DNS service will experience. But none-the-less, the attack is successful in crashing MS DNS.

Stopping the Attack

Stopping the attack is done by performing one of the following:

Don"t run MS DNS until it"s proven to be less bug ridden. Instead, you may opt for running a free version of BIND for NT which is not subject to this attack. If you rely on MS DNS interoperating with WINS, you may opt for MetaInfo"s DNS, which is a direct BIND port and works great in conjunction with WINS. If you must go on using MS DNS, be forewarned that it may be incredibly difficult to stop this attack, since it can be done through impersonation and by using non-standard ports for chargen.

You can block port TCP port 53 using NT"s built-in TCP/IP filtering. This stops zone transfers and TCP based name resolutions. This does not stop the UDP port 53 from continuing to operate normally. DNS normally relies on UDP for its name resolution transactions.

Or, you can filter TCP port 53 on your routers to bordering networks, allowing only trusted secondary DNS servers to do zone transfers.

Any one of the above three solutions should help you stop the attack cold.

This type of attack (pointing chargen output to other ports) can go along way towards bogging down lots of services, some of which die like MS DNS. You"d be well advised to disable NT"s Simple TCP/IP Services (if installed) using Control Panel | Services. This stops the chargen, echo, daytime, discard, and quote of the day (qotd) services. Any of which could be used for denial of service attacks. None of these services are required for proper network operation - although you should be aware that a few types of network monitors occasionally test the echo port when they cannot get a response using ping. If you find the need to run one or more of these services independant of the others, you can turn on/off each respective service by adjusting Registry entries found in the following subtree:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SimpTcp\Parameters

By changing the established value of both the EnableTcpXXXX and EnableUdpXXXX parameters from 0x1 to 0x0, you effectively disable that particular service.

The following parameters are available for adjustment:

  • EnableTcpChargen
  • EnableTcpDaytime
  • EnableTcpDiscard
  • EnableTcpEcho
  • EnableTcpQotd
  • EnableUdpChargen
  • EnableUdpDaytime
  • EnableUdpDiscard
  • EnableUdpEcho
  • EnableUdpQotd

BE CAREFUL WHEN MAKING REGISTRY CHANGES, AS ERRORS CAN RENDER A SYSTEM NON-BOOTABLE.

Keep in mind that this does not stop attacks that originate from other system"s chargen ports, nor will it stop impersonated port attacks.

Microsoft"s Response:

On June 10, 1997, Microsoft posted Hotfixes for this and other DNS related problems on the FTP site.

If you want to learn more about new NT security concerns, subscribe to NTSD.

Credit:
Stefan Arentz
Post here on
The NT Shop May 27, 1997