CLARIFICATION ============= This memo should clarify the issue discovered with the UDP DOS against windows 2000, involving port 500 UDP. We have recieved numerous comments and questions about BugTraq Advisory 244265. PROBLEM ======= Sending of UDP traffic to port 500 UDP will cause windows to spend excessive CPU time on processing this traffic. It is possible for an attacker to cause excessive CPU usage by continuously sending UDP traffic on port 500 to the target machine. This may degrade performance on the target machine or even render it useless, as long as the attacker sends traffic. IMPACT ====== The primary impact is that the attacker can cause high CPU loads on the target machine. If the machine is used for critical tasks (domain controller, web server, etc), this might lead to a serious degradation in performance or even complete loss of service. Indirect impact may result to all windows 2000 sites relying on IPSec to secure their internet communications (ie if the attacked host is an IPSec gateway). This was however not tested by us and might require further investigations. DETAILS ======= All testings have been conducted with a simple UDP flooder. The traffic sent was not related to IKE, instead the payload on the UDP traffic was simply made up of dots (ASCII 46). We have conducted tests with various packet lenghts, and we noticed that with a packet lenght of 800 bytes, it was possible to drive a windows 2000 professional SP2, installed on a pentium I 233mmx machine, to 99% CPU usage. The machine was connected to a 10mbit ethernet, on which also the attacking machine resided. Another test configuration included a pIII based server running @ 933MHz, connected to the attacking machine via 2mbit SDSL line. We were able to cause a CPU usage of around 50% to 80% on this machine by flooding its UDP port 500. We also tested various other UDP ports than 500, and it became quite clear to us that none of the open ports causes as much CPU usage as port 500 does when getting flooded. SOLUTION ======== When IPSec is not in use, filter UDP dst port 500 on your border router / firewall. If you don't have a border router or firewall, then one of the various commercially available "personal type" firewalls can help. Notice that with built in Windows 2000 IPSec filters you *can not* firewall port 500 off (see also Microsoft Knowledgebase article Q253169). If you are actively making usage of IPSec at your site, then an immediate fix to this problem might not be available. ACL Lists on your Firewall/Router may help by limiting the range of IP addresses that are allowed to send UDP port 500 traffic to you, so that only legitimate IPSec tunnel partners can reach your server, might help. REFERENCES ========== Original Advisory: http://www.securityfocus.com/archive/1/244265 Microsoft Knowledge Base Article Q253169: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q253169 ==== gridrun@spacebitch.com c0redump@ackers.org.uk #hacktech @ undernet Special thanks to Synecta Informatik AG Switzerland for providing us with valuable resources and supporting our work! http://www.synecta.ch .-. /v\ L I N U X // \\ >I know KungFu!!< /( )\ ^^-^^
