Topic: Windows NT/2000 DoS via stream3 flood attack
Authors: Dark Zorro <[email protected]>,
Error <[email protected]>
Date: 2 December 2000 (yes... it's old)
Vendor Informed: 2 December 2000
Software affected: Windows NT 4.0, Windows 2000
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories
Stream 3 is flood attack of absolutely identical empty TCP packets with
ACK and FIN flags. Dark Zoro and Error discovered unpatched Windows
leaks the memory from non-paged kernel space during stream 3 attack
against NetBIOS (TCP/139) port. This memory never released back after
attack. Since this attack doesn't require TCP connection it may bypass
purely configured packet filters. Effectivity of attack depends on
amount of RAM installed in target host, routing schema and link
bandwidth between source and target (xDSL/10BaseT is ideal). Results may
vary from missing 2-3 Mb of memory from non-paged pool to blue screen.
I've got few unverified reports of successful usage of stream 3 against
different ports and different systems.
Microsoft was contacted on December, 2 2000. On December, 15 private fix
Q280446 for Windows 2000 was released. It was made public few months
later and was included into Service Pack 2.
Microsoft failed to reproduce and fix problem under Windows NT 4.0
For Windows 2000 apply SP2. Make sure you filter all traffic to
stream3o.c compiles and works under i386 FreeBSD. stream3.c should be
more compatible and fast, but not tested.