Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISS Security Advisory: Denial of Service Attack Against Windows NT Terminal Server

From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 10 Aug 1999 08:54:04 -0700

One small clarification:

At 11:51 AM 8/9/99 -0400, X-Force wrote:


The ISS X-Force has discovered a denial of service attack against
Windows NT Server 4.0, Terminal Server Edition.  This vulnerability
allows a remote attacker to quickly consume all available memory on a
Windows NT Terminal Server, causing a significant disruption for users
currently logged into the terminal server, and preventing any new terminal
connections from being successfully completed.


This isn't precisely correct.  The problem is that the attack will consume
about 1MB of RAM per connection.  If you have a machine with 1GB, and it is
capped to allow 50 users to connect, a worst-case scenario is that the
machine will now be running with a mere 950 MB for the users that are
already on the box.  Under these conditions, the existing users probably
won't notice the attack.  New users will be hindered in their connection
(not prevented), as they are competing with the attacker for new slots -
they might get one before the attack app managed to get the timed out
connection - at least that's the way it worked when I tested this.  OTOH,
if you have a 50 user limit on a machine with 64MB of RAM, you'll
experience a pretty severe disruption, although I don't think I'd want to
be on that machine with more than a few legitimate users to begin with.  So
essentially, if you've got the user limit capped at a value where there is

1MB RAM available per user, then "all available memory" won't get

consumed, and existing users won't experience a significant disruption.  I
believe Dave Meltzer was doing his testing with a server that had a fairly
small amount of RAM.

I'd also note that unless someone is spoofing the TCP connections, the IP
of the attacker is going to show clearly in netstat -a.

That said, I'd upgrade any Terminal Server with the patch, and make sure
that my firewall rules excluded 3389, unless I wanted to explicitly allow
people to connect to terminal server from the internet.

David LeBlanc
dleblanc () mindspring com
Previous By Date Next
Previous By Thread Next

Current thread: