NT chargen flood DOS

Summary
Description:Systems with the Simple TCP/IP Services installed will respond to broadcast UDP datagrams sent to the subnet broadcast address. You could presumably use this to attack someone else (by using your target's source address in the broadcast) or take down the NT network by having the source be port 19 of the same broadcast address.
Author:Unknown
Compromise:stupid DOS attack
Vulnerable Systems:Micro$oft NT with the Simple TCP/IP services installed. M$ has a post-SP3 fix available.
Date:23 July 1997
Details


Date: Wed, 23 Jul 1997 17:09:50 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@RC.ON.CA
Subject: Alert: Chargen Flooding fix now available

Thanks to Marc Bejarano for bringing this to our attention.

Excerpt from KB Article Q154460:
A malicious attack may be mounted against Windows NT computers with the
Simple TCP/IP Services installed. The attack consists of a flood of UDP
datagrams sent to the subnet broadcast address with the destination port
set to 19 and a spoofed source IP address. The Windows NT computers
running Simple TCP/IP services respond to each broadcast, creating a
flood of UDP datagrams.

The fix, and the full KB article can be found at;

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixe
s-postSP3/simptcp-fix

Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
owner of the NTBugTraq mailing list:
http://ntbugtraq.rc.on.ca/index.html

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]