UDP DoS attack in Win2k via IKE

["c0redump" <c0redump () ackers org uk>]

CLARIFICATION
=============
This memo should clarify the issue discovered with the UDP DOS
against windows 2000, involving port 500 UDP. We have recieved
numerous comments and questions about BugTraq Advisory 244265.


PROBLEM
=======
Sending of UDP traffic to port 500 UDP will cause windows to
spend excessive CPU time on processing this traffic. It is
possible for an attacker to cause excessive CPU usage by
continuously sending UDP traffic on port 500 to the target
machine. This may degrade performance on the target machine
or even render it useless, as long as the attacker sends
traffic.


IMPACT
======
The primary impact is that the attacker can cause high
CPU loads on the target machine. If the machine is used for
critical tasks (domain controller, web server, etc), this
might lead to a serious degradation in performance or even
complete loss of service.

Indirect impact may result to all windows 2000 sites relying
on IPSec to secure their internet communications (ie if the
attacked host is an IPSec gateway). This was however not
tested by us and might require further investigations.


DETAILS
=======
All testings have been conducted with a simple UDP flooder.
The traffic sent was not related to IKE, instead the payload
on the UDP traffic was simply made up of dots (ASCII 46).
We have conducted tests with various packet lenghts, and
we noticed that with a packet lenght of 800 bytes, it was
possible to drive a windows 2000 professional SP2, installed
on a pentium I 233mmx machine, to 99% CPU usage. The machine
was connected to a 10mbit ethernet, on which also the
attacking machine resided.

Another test configuration included a pIII based server
running @ 933MHz, connected to the attacking machine via
2mbit SDSL line. We were able to cause a CPU usage of around
50% to 80% on this machine by flooding its UDP port 500.

We also tested various other UDP ports than 500, and it
became quite clear to us that none of the open ports causes
as much CPU usage as port 500 does when getting flooded.


SOLUTION
========
When IPSec is not in use, filter UDP dst port 500 on your
border router / firewall. If you don't have a border router
or firewall, then one of the various commercially available
"personal type" firewalls can help.

Notice that with built in Windows 2000 IPSec filters you
*can not* firewall port 500 off (see also Microsoft
Knowledgebase article Q253169).

If you are actively making usage of IPSec at your site,
then an immediate fix to this problem might not be
available. ACL Lists on your Firewall/Router may help
by limiting the range of IP addresses that are allowed to
send UDP port 500 traffic to you, so that only legitimate
IPSec tunnel partners can reach your server, might help.

REFERENCES
==========
Original Advisory:
 http://www.securityfocus.com/archive/1/244265

Microsoft Knowledge Base Article Q253169:
 http://support.microsoft.com/default.aspx?scid=kb;EN-US;q253169


====

gridrun () spacebitch com
c0redump () ackers org uk
#hacktech @ undernet



Special thanks to Synecta Informatik AG Switzerland for providing
us with valuable resources and supporting our work!
http://www.synecta.ch


    .-.
    /v\    L   I   N   U   X
   // \\   >I know KungFu!!<
  /(   )\
   ^^-^^