Bugtraq mailing list archives

DoS attack in MS - Proxy 2.0

From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Fri, 9 Oct 1998 15:48:07 +0100


Dear All,


MS-Proxy 2.0 server is susceptible to a massive Denial of Service attack.
The reason this works seems to be a bug whereby in some instances if a
client connection to the proxy server is aborted the connection the proxy
server has made to the remote server is not RESET. This seems to happen in
ftp requests .Consequently, an attacker can make an HTTP GET ftp:// request
to the Web Proxy Service to the Chargen service (TCP port 19) on a remote
host ("GET ftp://some.server.com:19/ HTTP/1.0\n\n") and abort the
connection they have made to the Proxy before a response is received from
the proxy server. Proxy will keep the connection it has made to the remote
server open and continues to receive data ad infinitum. This eventually
leads to the inetinfo.exe process running at 100% and a continuous rise in
memory usage. After 25 minutes memory usage had risen from 5000k to 37000k.
This was tested on NT Server 4 (SP 3 + Hotfixes), IIS 3.0 and MS Proxy 2.0
with a 33.6 kps connection to the 'Net.

It must also be noted that this may not even be an attack - if a user
decides through his web browser to download a 40Mb file that is linked to
from an
A HREF="ftp://some.server.com/bigfile.exe"; and then clicks STOP pn his/her
browser before Proxy has responded this will have the same effect.

Whilst in this state, the Web Proxy Service will not stop from Internet
Service Manager. You have to use the NT Resource Kit's kill.exe and kill it
off.

To enable "damage-limitation":
        a) Make sure that only trusted and valid users can use MS-Proxy's
services.
        b) Limit outbound traffic to services you need for employees to do their
job.
                ie Don't just allow all outbound traffic through the packet filter.
        c) Deny any IP address on your internal network in the Domain Filters Tab
                just in case an internal user bounces this back into the inside.

I'd suggest though, that MS produce a fix that makes sure if the client
connection is aborted
so to is the proxy-to-remote-server connection is aborted too, because the
above instructions
may not be viable for some customers.

Cheers and l8r
Mnemonix
http://www.diligence.co.uk
http://www.infowar.co.uk/mnemonix

Current thread:

By-passing MS Proxy 2.0 and others packet filtering Mnemonix (Oct 08)
- Lotus Domino application vulnerability Weld Pond (Oct 08)
- Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Jean-Christophe Touvet (Oct 08)
  - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Gus (Oct 13)
  - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Peter van Dijk (Oct 13)
    - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Kevin Way (Oct 14)
    - Secure Locate v1.2 klindsay (Oct 14)
- Re: By-passing MS Proxy 2.0 and others packet filtering Marc D. Behr (Oct 09)
- DoS attack in MS - Proxy 2.0 Mnemonix (Oct 09)