Microsoft Windows Platforms running TCP/IP
Subject to Denial of Service Attack

Reported June 29,1997 by Jiva DeVoe
With complete analysis by NTSECURITY.NET

Systems Affected

Windows NT and 95 Systems using the Microsoft TCP/IP Stack

The Problem

A denial of service attack can be effectively launched against Windows operating systems using similar tactics to the older Ping-of-Death problem - thus we name this bug Ping-of-Death 2.

Instead of sending a single 64k ICMP packet which becomes fragmented, as done in the Ping-of-Death attack, Ping-of-Death 2 is accomplished by sending a flurry of 64k packets, which also become fragmented. This flurry of packets causes Windows systems to completely lock up cold without warning.

Our in-house testing revealed this true nature of the POD2 attack. We tested against an Intel running NT 4.0 with SP3 and all current hotfixes as of June 30, 1997, and also against an Alpha platform with the same code revs. Both systems did in fact freeze completely, as did a targeted Windows 95 platform.

If you have a Linux system, you can test this yourself using the pod2 binary, or the sping binary. Drop either one in a directory, and make sure you have root privileges before using them.

Stopping the Attack

As always, block all inbound ICMP traffic on your routers to bordering untrusted networks, and by all means, load the hotfix. You"ll find it here for NT 4.0. Be certain to examine the README file and the Knowledge Base article.

Microsoft"s Response:

On June 29, 1997, it was reported that Microsoft had been informed of this issue. On July 1, very late in the day, MS posted the hotfixes for NT 4.0. Their knowledge base article Q154174 (linked above) seems to indicate that this problem does not affect NT 3.51 or WfW.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Symptoms and Code revealed by Diva DeVoe
With complete analysis by NTSECURITY.NET
.

Posted here at
NTSecurity.Net June 30, 1997 11pm