[NT] Windows 2000/2003 SYN DoS Attack Protection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Windows 2000/2003 SYN DoS Attack Protection
------------------------------------------------------------------------


SUMMARY

By attacking Microsoft Windows 2000 and 2003 with SYN flood, attackers can
cause a DoS on the system, the following article will illustrate how users
can implement a protection mechanism to prevent this attack.

DETAILS

Vulnerable Systems:
* Microsoft Windows 2000 SP4 and prior
* Microsoft Windows 2003 Server

Immune Systems:
* Microsoft Windows 2000 SP4 with Roll Up
* Microsoft Windows 2003 Server SP1

On Windows 2000 and 2003 the system administrator can enable a SYN Attack
protection mechanism on the TCP/IP by adding the value SynAttackProtect in
the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
If the value of SynAttackProtect is 2 the TCP/IP stack notifies a
listening socket only when the 3-way handshake has been completed and
tracks the ongoing 3-way handshakes by storing them in an hash table. This
way the backlog of the socket is defended from the SYN floods attacks.

The vulnerability resides in the hash table management, in fact the hash
function used by the TCP/IP stack works only on some fields of the
incoming SYN packet and is thus predictable. An attacker can generate a
large number of SYN packets with the same hash value to target the same
hash table bucket. When the victim machine receives them, it stores them
in just one bucket of the hash table. The chain attached to this bucket
keeps growing, and the more it grows, the slower the lookup algorithm
becomes.

Vendor response:
Microsoft has patched the vulnerability in Windows 2003 SP1 and Windows
2000 Update Roll-up.

The new version of TCPIP.SYS has this Syn Attack Protection enabled by
default but uses a crypto hash function (MD5) for the table lookup. The
hash material is the source port, dest port, source ip, dest ip of the SYN
packet and some pseudo random material extracted at startup.

SYN Resources:
SynAttackProtect is not enabled by default on the affected systems but has
been recommended by a number of articles:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315669&sd=tech>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315669&sd=tech

<http://www.microsoft.com/technet/security/topics/networksecurity/secdeny.mspx> http://www.microsoft.com/technet/security/topics/networksecurity/secdeny.mspx
<http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTHardTCP.asp>
http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTHardTCP.asp
<http://support.microsoft.com/default.aspx?scid=kb;en-us;142641>
http://support.microsoft.com/default.aspx?scid=kb;en-us;142641
<http://www.awprofessional.com/articles/article.asp?p=371702>
http://www.awprofessional.com/articles/article.asp?p=371702
<http://www.securiteam.com/tools/5GP0G15GKE.html>
http://www.securiteam.com/tools/5GP0G15GKE.html


ADDITIONAL INFORMATION

The information has been provided by <mailto:lm@xxxxxxxxxxx> Luigi Mori.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages