COMMAND

    Killing NT 4.0's Name Server

SYSTEMS AFFECTED

    Win NT 4.0

PROBLEM

    You  may  receive  an  Access  Violation  in Dns.exe. This is most
    often occurs on  computers connected to  public networks, such  as
    the Internet, where deliberate attacks are common.

    This particular attack is usually generated maliciously by  typing
    the following  command on  the attacking  system (found  by Stefan
    Arentz):

        $ telnet ntbox 19 | telnet ntbox 53

    This command causes a telnet connection to be established to  port
    19 (the chargen service,  which generates a string  of characters)
    with the output redirected to a telnet connection to port 53  (the
    DNS service.) This flood of characters causes an Access  Violation
    in  the  DNS  service,   which  is  terminated,  disrupting   name
    resolution services.

    This was tested on NT 4.0 with service pack #3.

SOLUTION

    Most NT 4.0 boxes doesn't  listen to tcp port 19,  chargen, unless
    the administrator has installed  "Small TCP/IP services" or  such,
    which isn't a default option.

    The Microsoft  DNS Server  has been  modified to  to correct  this
    problem.  Obtain  the following fix  or wait for  the next Windows
    NT service  pack.   This hotfix  has been  posted to the following
    Internet location:

        ftp://ftp.microsoft.com/

    following path:

    bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/dns-fix

    Workaround #1: block port tcp/53 on the security panel of  TCP/IP.
    No more zone transfers, no more TCP name resolutions (very  rare),
    everyday UDP resolution still works.

    Workaround #2: filter port tcp/53 on the boundary router, allowing
    only secondary servers to do zone transfers.

    Workaround #3: install BIND.