home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacks & Cracks
/
Hacks_and_Cracks.iso
/
hackersclub
/
km
/
library
/
hack
/
dns_dos.txt
< prev
next >
Wrap
Text File
|
1998-03-25
|
4KB
|
83 lines
Microsoft DNS Server
Subject to Denial of Service Attack
Reported May 27 ,1997 by Stefan Arentz
Systems Affected
Windows NT 4.0, up to Service Pack 3, running the MS DNS Server
The Problem
Microsoft DNS can be made to crash by redirecting the output of the Chargen service to the MS DNS
service. A typical attack might be launched from a system using the following command:
$ telnet ntbox 19 | telnet ntbox 53
The above command is shown as seen on a UNIX command line. Once the command is issued, a telnet
session is opened on port 19 (chargen) of the ntbox, and all output is redirected to a second telnet
session opened on port 53 (dns) of the same ntbox. Launching the attack in this manner may subject the
attacker to the same barrage of packets the DNS service will experience. But none-the-less, the attack is
successful in crashing MS DNS.
Stopping the Attack
Stopping the attack is done by performing one of the following:
Don't run MS DNS until it's proven to be less bug ridden. Instead, you may opt for running a free version of
BIND for NT which is not subject to this attack. If you rely on MS DNS interoperating with WINS, you may
opt for MetaInfo's DNS, which is a direct BIND port and works great in conjunction with WINS. If you must
go on using MS DNS, be forewarned that it may be incredibly difficult to stop this attack, since it can be
done through impersonation and by using non-standard ports for chargen.
You can block port TCP port 53 using NT's built-in TCP/IP filtering. This stops zone transfers and TCP
based name resolutions. This does not stop the UDP port 53 from continuing to operate normally. DNS
normally relies on UDP for its name resolution transactions.
Or, you can filter TCP port 53 on your routers to bordering networks, allowing only trusted secondary DNS
servers to do zone transfers.
Any one of the above three solutions should help you stop the attack cold.
This type of attack (pointing chargen output to other ports) can go along way towards bogging down lots of
services, some of which die like MS DNS. You'd be well advised to disable NT's Simple TCP/IP Services
(if installed) using Control Panel | Services. This stops the chargen, echo, daytime, discard, and quote of
the day (qotd) services. Any of which could be used for denial of service attacks. None of these services
are required for proper network operation - although you should be aware that a few types of network
monitors occasionally test the echo port when they cannot get a response using ping. If you find the need
to run one or more of these services independant of the others, you can turn on/off each respective service
by adjusting Registry entries found in the following subtree:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SimpTcp\Parameters
By changing the established value of both the EnableTcpXXXX and EnableUdpXXXX parameters from 0x1 to
0x0, you effectively disable that particular service.
The following parameters are available for adjustment:
EnableTcpChargen
EnableTcpDaytime
EnableTcpDiscard
EnableTcpEcho
EnableTcpQotd
EnableUdpChargen
EnableUdpDaytime
EnableUdpDiscard
EnableUdpEcho
EnableUdpQotd
BE CAREFUL WHEN MAKING REGISTRY CHANGES, AS ERRORS CAN RENDER A SYSTEM
NON-BOOTABLE.
Keep in mind that this does not stop attacks that originate from other system's chargen ports, nor will it
stop impersonated port attacks.
Microsoft's Response:
On June 10, 1997, Microsoft posted Hotfixes for this and other DNS related problems on the FTP site.
If you want to learn more about new NT security concerns, subscribe to NTSD.
Credit:
Stefan Arentz
Post here on The NT Shop May 27, 1997