Update on wide-spread NewTear Denial of Service attacks

Aleph One (aleph1@DFW.NET)
Wed, 04 Mar 1998 10:37:55 -0600

-----Original Message-----
From: Jason Garms
Sent: Wednesday, March 04, 1998 12:53 AM
To: 'ntbugtraq@listserv.ntbugtraq.com'
Subject: Update on wide-spread NewTear Denial of Service attacks

First, many thanks to the many organizations that assisted today in
gathering information on the rash of denial of service attacks that have
hit a number of sites on the Internet in the last 24-48 hours. Three
important organizations for overall coordination have been CIAC, CERT and
NTBUGTRAQ. That's in addition to the numerous customers who provided
assistance. Thank you.

We've gotten network traces for in-process attacks, as well as NT crash
dumps from machines that were attacked. These files came from a number of
different customers who were affected by these denial of service attacks
over the last 24 to 48 hours. We've carefully reviewed the network traces,
and analyzed the crash dumps, and I'd like to share what we found.

The network sniffs all indicated a two-packet sequence using UDP
fragmentation to exploit a known vulnerability in unpatched Windows 95 and
Windows NT TCP/IP stacks. The traces all indicate the now infamous "DNS"
packet, which has little significance as an actual DNS packet except that
it uses the DNS port address. It's really the setup packet for the
fragmentation attack. The second packet, which is a malformed UDP packet
by many regards, completes the attack and places the unpatched TCP/IP
stack in a unstable state. The DNS port may have been chosen because many
sites do not filter it on their firewalls or routers. However, this is not
a DNS issue in any way, since the corruption is cause in the TCP/IP stack
by the UDP assembly.

We replayed these packets against unpatched Windows NT and Windows 95
machines and got the same results as have been reported on in various
forums-mostly blue screens. However, there have been reports of machines
that would simply reboot without first blue screening. We were able to
duplicate that scenario on Windows NT 4.0 systems running only SP1. Other
unpatched systems would blue screen. However, these replayed attacks had
no effect on fully patched Windows NT 4.0 SP3 systems (all hotfixes). The
primary fix that is important here is the "NewTear/Bonk/Boink" update that
was released in January.

We also reviewed the crash dumps from a number of different sources. None
of these affected machine had the NewTear/Bonk/Boink patch installed.
Analysis of the dump indicated that the cause of failure in all cases was
symptomatic of the corruption caused by fragmented UDP packets, which was
addressed by the NewTear/Bonk/Boink update. Most sites we were in contact
with that were the subject of repeated attacks were no longer affected
after installing the update.

We have had no reports of fully patched systems being affected by this
rash of attacks.

We have posted some information on http://www.microsoft.com/security on
this rash of attacks. From everything we've been able to determine,
applying this update is critical to preventing this problem. The
information this issue at http://www.microsoft.com/security has links to
the NewTear/Bonk/Boink hotfix.

This hotfix is available for Windows NT 4.0 SP3, Windows NT 3.51 SP5,
Windows 95 Winsock 1.x and Windows 95 Winsock 2.x systems. (Note that the
version for Windows 95 depends on the Winsock version. Last week we
released a complete refresh of the Windows 95 Winsock 2 stack, which
includes the NewTear fix. This information is referenced from the NewTear
information on http://www.microsoft.com/security)

Thanks,
-JasonG

Jason Garms
Product Manager
Windows NT Security
Microsoft Corporation