Microsoft KB Archive/238600

= Multiple Connection Requests Promote Denial of Service Attack =

Article ID: 238600

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition

-



This article was previously published under Q238600



SYMPTOMS
When a request to open a new terminal connection is received by a Terminal Server computer, the server undertakes a resource-intensive series of operations to prepare for the connection. The server performs these operations before authenticating the request, thereby allow an attacker to mount a denial of service attack by levying a large number of connection requests and consuming all memory on the Terminal server.

This vulnerability could be exploited remotely if connection requests are not filtered. In extreme cases, the server could crash in the face of such an attack; in other cases, normal processing would return when the attack ceased. The patch works by causing the server to require authentication before processing the connection request.



CAUSE
This problem occurs because during the connection setup, there is no control over CPU resource usage. Simultaneous multiple connection requests can prevent the server from responding to other connection requests.



Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows NT 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack



WORKAROUND
To work around this problem, you can filter Transmission Control Protocol (TCP) packets. Terminal Server monitors connection requests on port 3389. If you create a filter that allows only specific TCP/IP addresses or networks to gain access to the Terminal server, it may be possible to prevent this condition from occurring.

For additional information about TCP filters, click the article numbers below to view the articles in the Microsoft Knowledge Base:

169548 Using Proxy Server with Routing and Remote Access

166371 NT 4.0 Does Not Filter Ports Destined for Remote Segments

187628 Using Telnet to Test Port 3389 Functionality

191146 How to Create a DMZ Network with Proxy Server 2.0



STATUS
Microsoft has confirmed that this is a problem in Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Microsoft Windows NT 4.0 Service Pack 5.



MORE INFORMATION
For more information concerning Windows NT and security issues, please visit the following Microsoft Web site:

http://www.microsoft.com/security/

Keywords: kbhotfixserver kbqfe kbbug kbfix kbnetwork kbqfe KB238600

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.