COMMAND
MS Proxy
SYSTEMS AFFECTED
MS Proxy
PROBLEM
Mnemonix found following. MS-Proxy 2.0 server is susceptible to a
massive Denial of Service attack. The reason this works seems to
be a bug whereby in some instances if a client connection to the
proxy server is aborted the connection the proxy server has made
to the remote server is not RESET. This seems to happen in ftp
requests .Consequently, an attacker can make an HTTP GET ftp://
request to the Web Proxy Service to the Chargen service (TCP port
19) on a remote host (GET ftp://some.server.com:19/ HTTP/1.0\n\n)
and abort the connection they have made to the Proxy before a
response is received from the proxy server. Proxy will keep the
connection it has made to the remote server open and continues to
receive data ad infinitum. This eventually leads to the
inetinfo.exe process running at 100% and a continuous rise in
memory usage. After 25 minutes memory usage had risen from 5000k
to 37000k. This was tested on NT Server 4 (SP 3 + Hotfixes), IIS
3.0 and MS Proxy 2.0 with a 33.6 kps connection to the 'Net.
It must also be noted that this may not even be an attack - if a
user decides through his web browser to download a 40Mb file that
is linked to from an A HREF="ftp://some.server.com/bigfile.exe"
and then clicks STOP pn his/her browser before Proxy has responded
this will have the same effect.
SOLUTION
Whilst in this state, the Web Proxy Service will not stop from
Internet Service Manager. You have to use the NT Resource Kit's
kill.exe and kill it off. To enable "damage-limitation":
a) Make sure that only trusted and valid users can use MS-Proxy's
services.
b) Limit outbound traffic to services you need for employees to do
their job. ie Don't just allow all outbound traffic through
the packet filter.
c) Deny any IP address on your internal network in the Domain
Filters Tab just in case an internal user bounces this back
into the inside.