DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  SYN

SYSTEMS AFFECTED

  Win NT 3.51, 4.0
  

PROBLEM


    This vulnerability was originally presented on:

        www.ntshop.com/security

    and this text (or it's parts) is their credit.

    "Computer hackers" can target an entire machine, or a specific TCP
    service such  as web  services. The  attack is  focused on the TCP
    protocol  used  by  all  computers  on  the  Internet,  and is not
    specific to  the Windows  NT operating  system.   

    The following information is from Microsoft KB source:

        A  TCP  connection  request  (SYN)  is  sent  to  the   target
        computer.  The source IP  address in the packet is  "spoofed,"
        or  replaced  with  an  address  that  is  not  in  use on the
        Internet, or  that belongs  to another  computer. An  attacker
        will send many of these TCP  SYNs to tie up as many  resources
        as possible on the target computer,

        Upon  receiving  the  connection  request, the target computer
        allocates resources  to handle  and track  the new connection,
        then responds with a "SYN-ACK". In this case, the response  is
        sent to the "spoofed" non- existent IP address,

        No response is received  to the SYN-ACK. A  default-configured
        Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK  5
        times, doubling the time-out value after each  retransmission.
        The initial time-out  value is three  seconds, so retries  are
        attempted at  3, 6,  12, 24,  and 48  seconds. After  the last
        retransmission,  96  seconds  are  allowed  to pass before the
        computer gives  up on  receiving a  response, and  deallocates
        the resources that were set aside earlier for the  connection.
        The  total  elapsed  time  that  resources  are  in use is 189
        seconds.

    If you suspect that your computer  is the target of a SYN  attack,
    you can  type the  following command  at a  command prompt to view
    connections in the "SYN_RECEIVED" state:

        netstat -n -p tcp

    This command may cause the following text to appear on your
    screen:

        Active Connections

        Proto Local Address Foreign Address State
        TCP 127.0.0.1:1030 127.0.0.1:1032 ESTABLISHED
        TCP 127.0.0.1:1032 127.0.0.1:1030 ESTABLISHED
        TCP 10.57.8.190:21 10.57.14.154:1256 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1257 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1258 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1259 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1260 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1261 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1262 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1263 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1264 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1265 SYN_RECEIVED
        TCP 10.57.8.190:21 10.57.14.154:1266 SYN_RECEIVED
        TCP 10.57.8.190:4801 10.57.14.221:139 TIME_WAIT

    If a large  number of connections  are in the  SYN_RECEIVED state,
    it  is  possible  that  the  system  is  under  attack.  A network
    analyzer can  be used  to track  the problem  down further, and it
    may be  necessary to  contact your  Internet Service  Provider for
    assistance in attempting to trace the source.

    The  effect  of  tying  up  connection resources varies, depending
    upon the TCP/IP stack and applications listening on the TCP  port.
    For most  stacks, there  is a  limit on  the number of connections
    that can be in the half-open (SYN_RECEIVED) state. Once the  limit
    is reached for a given TCP port, the target computer responds with
    a reset  to all  further connection  requests until  resources are
    freed.

    Microsoft has confirmed the TCP/IP protocol in Windows NT versions
    3.51 and 4.0 to be vulnerable to these attacks.



EXPLOIT

  

SOLUTION


    Use the hot-fixes available   from Microsoft (fot both Windows  NT
    3.51 and  Windows NT  4.00). Obtain  the Service  Packs, or follow
    some of the  suggestions that Microsoft  gave in his  KB about SYN
    attacks.