Multiple Connection Requests Promote Denial of Service Attack (238600)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0 Terminal Server Edition
This article was previously published under Q238600

SYMPTOMS

When a request to open a new terminal connection is received by a Terminal Server computer, the server undertakes a resource-intensive series of operations to prepare for the connection. The server performs these operations before authenticating the request, thereby allow an attacker to mount a denial of service attack by levying a large number of connection requests and consuming all memory on the Terminal server.

This vulnerability could be exploited remotely if connection requests are not filtered. In extreme cases, the server could crash in the face of such an attack; in other cases, normal processing would return when the attack ceased. The patch works by causing the server to require authentication before processing the connection request.

CAUSE

This problem occurs because during the connection setup, there is no control over CPU resource usage. Simultaneous multiple connection requests can prevent the server from responding to other connection requests.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows NT 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

WORKAROUND

To work around this problem, you can filter Transmission Control Protocol (TCP) packets. Terminal Server monitors connection requests on port 3389. If you create a filter that allows only specific TCP/IP addresses or networks to gain access to the Terminal server, it may be possible to prevent this condition from occurring.

For additional information about TCP filters, click the article numbers below to view the articles in the Microsoft Knowledge Base:

169548 Using Proxy Server with Routing and Remote Access

166371 NT 4.0 Does Not Filter Ports Destined for Remote Segments

187628 Using Telnet to Test Port 3389 Functionality

191146 How to Create a DMZ Network with Proxy Server 2.0

STATUS

Microsoft has confirmed that this is a problem in Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Microsoft Windows NT 4.0 Service Pack 5.

MORE INFORMATION

For more information concerning Windows NT and security issues, please visit the following Microsoft Web site:

http://www.microsoft.com/security/

Modification Type:MinorLast Reviewed:9/23/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbnetwork kbQFE KB238600
©2004 Microsoft Corporation. All rights reserved.