mailing list archives
DoS attack in MS - Proxy 2.0
From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Fri, 9 Oct 1998 15:48:07 +0100
MS-Proxy 2.0 server is susceptible to a massive Denial of Service attack.
The reason this works seems to be a bug whereby in some instances if a
client connection to the proxy server is aborted the connection the proxy
server has made to the remote server is not RESET. This seems to happen in
ftp requests .Consequently, an attacker can make an HTTP GET ftp:// request
to the Web Proxy Service to the Chargen service (TCP port 19) on a remote
host ("GET ftp://some.server.com:19/ HTTP/1.0\n\n") and abort the
connection they have made to the Proxy before a response is received from
the proxy server. Proxy will keep the connection it has made to the remote
server open and continues to receive data ad infinitum. This eventually
leads to the inetinfo.exe process running at 100% and a continuous rise in
memory usage. After 25 minutes memory usage had risen from 5000k to 37000k.
This was tested on NT Server 4 (SP 3 + Hotfixes), IIS 3.0 and MS Proxy 2.0
with a 33.6 kps connection to the 'Net.
It must also be noted that this may not even be an attack - if a user
decides through his web browser to download a 40Mb file that is linked to
A HREF="ftp://some.server.com/bigfile.exe" and then clicks STOP pn his/her
browser before Proxy has responded this will have the same effect.
Whilst in this state, the Web Proxy Service will not stop from Internet
Service Manager. You have to use the NT Resource Kit's kill.exe and kill it
To enable "damage-limitation":
a) Make sure that only trusted and valid users can use MS-Proxy's
b) Limit outbound traffic to services you need for employees to do their
ie Don't just allow all outbound traffic through the packet filter.
c) Deny any IP address on your internal network in the Domain Filters Tab
just in case an internal user bounces this back into the inside.
I'd suggest though, that MS produce a fix that makes sure if the client
connection is aborted
so to is the proxy-to-remote-server connection is aborted too, because the
may not be viable for some customers.
Cheers and l8r