Re: WINS flooding
Sam Chan (chan@DPG.RNB.COM)
Fri, 15 Aug 1997 09:57:41 -0400
Aleph One wrote:
>
> ---------- Forwarded message ----------
> Date: Fri, 1 Aug 1997 12:17:53 -0400
> From: Holas, Ondxej <OHolas@EXCH.DIGI-TRADE.CZ>
> To: NTBUGTRAQ@RC.ON.CA
> Subject: WINS flooding
>
> When a flood of random (size and contents) UDP packets is sent to port
> 137/UDP to machine running WINS Server, this service stops after about 5
> seconds. I reproduced this on several machines running NTS 4.0 + WINS.
> Even if there were SP3 and all (12) recent postfixes, this service
> stops. The stop is regular, without Access Violation, manual restart is
> possible (probably, when attacked, WINS service reports its state to
> SCM). I never tried to reproduce this issue on NT 3.5x.
>
> I discovered there are many unprotected WINS servers in the Internet,
> which are vulnerable to such attacks (including one well-known software
> vendor).
>
> I reported this bug 06/27/1997, but now, I have neither reply from MS
> nor available fix.
>
> If there's somebody who wants to get sample source (in C, of course) of
> killing program, I can send it against E-mail.
>
> Ondrej Holas, MCSE
> DIGI TRADE, spol. s r.o.
> Czech Republic
* NUKING WINS
the follow comes from WinNTMag UPDATE Vol. 2, Issue 32:
A problem with WINS was reported to Microsoft some months back. The
problem
lets a WINS server abnormally terminate. Last week, a post Service Pack
3
(SP3) hotfix was released that corrects this problem. The problem is
created when invalid UDP packets are directed to a WINS server, causing
it
to silently terminate.
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-po
stSP3/winsupd-fix
--
Samuel Chan System Administrator
Derivative Products Group chan@dpg.rnb.com
(212)525-8005 Republic National Bank