COMMAND

    kernel

SYSTEMS AFFECTED

    WinNT Terminal Server

PROBLEM

    Following is based on ISS Security Advisory.  The ISS X-Force  has
    discovered a denial  of service attack  against Windows NT  Server
    4.0, Terminal Server Edition.  This vulnerability allows a  remote
    attacker to quickly consume all  available memory on a Windows  NT
    Terminal  Server,  causing  a  significant  disruption  for  users
    currently logged into the terminal server, and preventing any  new
    terminal  connections  from  being  successfully  completed.   The
    problem  is  that  the  attack  will  consume about 1MB of RAM per
    connection.  If you have a  machine with 1GB, and it is  capped to
    allow  50  users  to  connect,  a  worst-case scenario is that the
    machine will now be running with a mere 950 MB for the users  that
    are already  on the  box.   Under these  conditions, the  existing
    users  probably  won't  notice  the  attack.   New  users  will be
    hindered  in  their  connection  (not  prevented),  as  they   are
    competing with  the attacker  for new  slots -  they might get one
    before the  attack app  managed to  get the  timed out connection.
    OTOH, if you have a 50 user  limit on a machine with 64MB of  RAM,
    you'll experience a pretty severe disruption.  So essentially,  if
    you've got the user limit capped  at a value where there is  > 1MB
    RAM  available  per  user,  then  "all available memory" won't get
    consumed,  and  existing  users  won't  experience  a  significant
    disruption (Dave Meltzer was doing his testing with a server  that
    had a fairly  small amount of  RAM?).  Unless  someone is spoofing
    the  TCP  connections,  the  IP  of  the attacker is going to show
    clearly in netstat -a.

    Windows NT Server 4.0 Terminal Server Edition listens for terminal
    connections on TCP port  3389.  Once a  TCP connection is made  to
    this port, the terminal server will utilize resources in order  to
    handle the new client connection and authenticate the  connection.
    The  manner  this  is  done,  however, requires significant server
    resources before  any authentication  takes place  and without any
    throttling  of  resource  utilization.   Specifically,  a   remote
    attacker  can  quickly  cause  a  server  to  reach  full   memory
    utilization by creating a  large number of normal  TCP connections
    to port  3389.   Individual connections  will timeout,  but a  low
    bandwidth continuous  attack will  maintain a  terminal server  at
    maximum  memory  utilization  and  prevent  new connections from a
    legitimate source from taking  place.  Legitimate new  connections
    will  fail  at  this  point  with  an error of either a connection
    timeout, or the terminal server has ended the connection.

    In testing, a long  running attack of this  type has been able  to
    sporadically crash the terminal server executable and  permanently
    maintain the  machine at  full memory  usage without  allowing any
    new terminal server connections until the machine was rebooted.

SOLUTION

    Network administrators can protect internal systems from  external
    attack by creating a packet filter of the form:

        - Prevent all incoming packets destined for TCP port 3389

    If you have a legitimate  need for terminal server connections  to
    be made from outside your network, you should limit access to  TCP
    port 3389 to only the external IP addresses or networks that  have
    a  legitimate  reason  to  connect.The  fix  for  this  problem is
    available at

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40tse/hotfixes-postSP4/Flood-fix/