Re: Malformed Packet... [7:35436]

Fri, 15 Feb 2002 00:34:22 -0800 

Rahul ,
CIAC has information that there have been an ongoing series of denial-of-
service attacks directed at whole blocks of IP addresses. The attack uses
UDP
fragmentation to exploit a known vulnerability on unpatched Windows NT and
Windows 95 systems.  The attack is a sequence of two UDP packets, the first

being the setup packet, and the second, a malformed UDP packet. Because of
the
way Microsoft implements the TCP/IP stack, processing these UDP packets
places
the TCP/IP stack in an unstable state. Unprotected Windows NT machines
crash
and display the "blue screen of death" during or soon after the attack.
Windows NT boxes with only SP1 applied seem to reboot. Windows 95 machines
hang.  The attack is not intentionally damaging to the machines, but as
with
all such issues can do damage if the machine is accessing the hard drive at

the moment the attack occurs.

Microsoft has tested these malformed packets and believes the teardrop2
hotfix
solves this problem. We suggest patching all machines with this hotfix and
the
smb/cifs (srv hotfix) which protects against a similar attack.

See CIAC Bulletin I-19 for more information on this type of attack and the
machines that are vulnerable. Note also that Microsoft has updated and
combined the patches for the Teardrop and Land attacks on Windows NT. This
patch is now the teardrop2 fix.  The teardrop2 hotfix should be used
instead
of the patches listed in the I-19 Bulletin.

We have noted that Windows NT and Windows95 machines that were located
behind
firewalls did not fail during these attacks.  We believe this is due to the

fact that most firewalls automatically drop malformed UDP packets.


                                                                                       
                            
                   
"Rahul
                    Kachalia"            To:    
[EMAIL PROTECTED]
                                  Subject:     Malformed Packet...
[7:35436]
                    Sent
by:
                   
nobody@groups
                   
tudy.com
                                                                                       
                            
                                                                                       
                            
                   
02/15/2002
                    02:38
AM
                   
Please
                    respond
to
                   
"Rahul
                   
Kachalia"
                                                                                       
                            
                                                                                       
                            




Hi All,

    I am not sure what "Malformed Pkt" by some sniffer or OS means, but
assuming either the expected information is missing or didnt matched. While
sending fragmented pkt on network I am seeing such messages on sniffer, can
some one provide more info on it..

thanks,
rahul.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35480&t=35436
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to