GEN:SID 1:1408
Message DOS MSDTC attempt
Summary A TCP packet having a large payload was detected. This is a possible
indication of an actual or impending denial of service attack against a
host running the Microsoft Distributed Transaction Service Coordinator
(MSDTC).
Impact According to Bugtraq, sending such packets to MSDTC can cause the server to
crash, resulting in a host denial of service. Restarting the service will
enable it to resume normal operation.
Detailed Information According to Bugtraq, MSDTC is installed by default on Windows 2000. It is
also installed by default with Microsoft SQL Server, versions 6.5 and
later. According to Microsoft TechNet, the service is required by Internet
Information server. The service listens by default on port 3372.

According to the original reporter, Windows 2000 SP2 is vulnerable to this
attack, which does not invariably succeed. The original report was dated
January 31, 2002. As of March 30, 2002, no patch to fix the vulnerability
was known to exist. Moreover, Microsoft was not known to have confirmed the
existence of the problem.
Affected Systems  
Attack Scenarios Under Unix, use /dev/random to generate 1024 bytes of random data and pipe
the data to the target host and port via netcat (Source: SecurityTracker).
The attack does not depend on two-way communication with the victim, so the
source IP address can be spoofed by using a packet crafter.
Ease of Attack The attack can be easily mounted, using any tool that can send crafted
packets or Unix commands.
Corrective Action To manage the vulnerability, configure the system not to autmatically start
the MSDTC (Source: Security Operations Guide for Windows 2000 Server).
Alternatively, configure firewall rules to limit access to the service. To
eliminate false positives, revise the Snort rule to specify IP addresses of
only those hosts actually running the service.
Additional References  
Rule References bugtraq: 4006
cve: 2002-0224
nessus: 10939