-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Gert Meijerink                              Index  :    S-98-08
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Denial of service attacks & MS TCP/IP stack Date   :  05-Mar-98
===============================================================================

By courtesy of CERT/CC we received information about denial of service attacks
targeting a vulnerability in the Microsoft TCP/IP stack.

CERT-NL recommends application of the provided patches.
==============================================================================
- - ---------------------------------------------------------------------------
CERT* Summary CS-98.02 - SPECIAL EDITION March 4, 1998


This special edition of the CERT Summary reports denial of service attacks
targeting a vulnerability in the Microsoft TCP/IP stack.

Past CERT Summaries are available from
     ftp://ftp.cert.org/pub/cert_summaries/

- - ---------------------------------------------------------------------------

Denial of service attacks targeting Windows 95/NT machines
- - ----------------------------------------------------------

This special edition of the CERT Summary reports denial of service attacks
targeting a vulnerability in the Microsoft TCP/IP stack. We have received
reports from a number of sites and incident response teams indicating that a
large number of machines were affected.

The attacks involve sending a pair of malformed IP fragments which are
reassembled into an invalid UDP datagram. The invalid UDP datagram causes the
target machine to go into an unstable state. Once in an unstable state, the
target machine either halts or crashes. We have received reports that some
machines crashed with a blue screen while others rebooted.

Attack tools known by such names as NewTear, Bonk, and Boink have been
previously used to exploit this vulnerability against individual hosts;
however, in this instance, the attacker used a modified tool to automatically
attack a large number of hosts.

The solution to protect Windows 95 and NT machines from this attack is to
apply the appropriate Microsoft patch. The Microsoft patch, as well as more
information about the vulnerability, can be found in the January 1998
Microsoft Market Bulletin entitled, "New Teardrop-like TCP/IP Denial of
Service Program" available from:

        http://www.microsoft.com/security/newtear2.htm

Although the first instance of this attack, which started March 2, 1998
appears to be over, keep in mind that the tools to launch this attack are now
available and we expect to see more incidents of this type.


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 52 87 92 82      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 52 87 92 82      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.

==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAwUBNP6BF1pSTqmIRWKVAQGtaAP/bT7do6zqiiCQ2mtq8RtLlV86fE4mmbON
hm2PGLurV/487oS2E1lj8kEvu8ZR6XGjZt5+rm5GyA5azZv4ltOW2RUjxRar9fgm
6kVVYiwIur0ZSs3e5vCUoH8rReU8kLks+D2Vbx8zWE2UyI/dLNtNv/3Jgzrfuzcr
lClUd8nDfI8=
=cQg4
-----END PGP SIGNATURE-----