Denial of service attacks targeting Windows 95/NT machines

This special edition of the CERT Summary reports denial of service attacks targeting a vulnerability in the Microsoft TCP/IP stack. We have received reports from a number of sites and incident response teams indicating that a large number of machines were affected.

The attacks involve sending a pair of malformed IP fragments which are reassembled into an invalid UDP datagram. The invalid UDP datagram causes the target machine to go into an unstable state. Once in an unstable state, the target machine either halts or crashes. We have received reports that some machines crashed with a blue screen while others rebooted.

Attack tools known by such names as NewTear, Bonk, and Boink have been previously used to exploit this vulnerability against individual hosts; however, in this instance, the attacker used a modified tool to automatically attack a large number of hosts.

The solution to protect Windows 95 and NT machines from this attack is to apply the appropriate Microsoft patch. The Microsoft patch, as well as more information about the vulnerability, can be found in the January 1998 Microsoft Market Bulletin entitled, "New Teardrop-like TCP/IP Denial of Service Program" available from: http://www.microsoft.com/security/newtear2.htm.

Although the first instance of this attack, which started March 2, 1998 appears to be over, keep in mind that the tools to launch this attack are now available and we expect to see more incidents of this type.