GEN:SID | 1:1408 |
Message | DOS MSDTC attempt |
Summary | A TCP packet having a large payload was detected. This is a possible indication of an actual or impending denial of service attack against a host running the Microsoft Distributed Transaction Service Coordinator (MSDTC).
|
Impact | According to Bugtraq, sending such packets to MSDTC can cause the server to crash, resulting in a host denial of service. Restarting the service will enable it to resume normal operation.
|
Detailed Information | According to Bugtraq, MSDTC is installed by default on Windows 2000. It is also installed by default with Microsoft SQL Server, versions 6.5 and later. According to Microsoft TechNet, the service is required by Internet Information server. The service listens by default on port 3372.
According to the original reporter, Windows 2000 SP2 is vulnerable to this attack, which does not invariably succeed. The original report was dated January 31, 2002. As of March 30, 2002, no patch to fix the vulnerability was known to exist. Moreover, Microsoft was not known to have confirmed the existence of the problem.
|
Affected Systems | |
Attack Scenarios | Under Unix, use /dev/random to generate 1024 bytes of random data and pipe the data to the target host and port via netcat (Source: SecurityTracker). The attack does not depend on two-way communication with the victim, so the source IP address can be spoofed by using a packet crafter.
|
Ease of Attack | The attack can be easily mounted, using any tool that can send crafted packets or Unix commands.
|
Corrective Action | To manage the vulnerability, configure the system not to autmatically start the MSDTC (Source: Security Operations Guide for Windows 2000 Server). Alternatively, configure firewall rules to limit access to the service. To eliminate false positives, revise the Snort rule to specify IP addresses of only those hosts actually running the service.
|
Additional References | |
Rule References | bugtraq: 4006
cve: 2002-0224
nessus: 10939
|