Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Microsoft)  >   Windows TCP/IP Stack Vendors:   Microsoft
Microsoft Windows TCP/IP Stack Vulnerable to a Certain Man-in-the-Middle Denial of Service Attack
SecurityTracker Alert ID:  1002201
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 15 2001
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   A vulnerability has been reported in the Microsoft Windows TCP/IP stack that allows a man-in-the-middle to cause a denial of service condition.

It is reported that a man-in-the-middle attack that consists of just two TCP packets can cause a significant increase in network traffic and can cause the TCP connection to hang.

A remote user that can monitor network activity and collect the sequence and ACK numbers of an active TCP connection can then trigger an ACK loop by sending a spoofed TCP packet with the ACK and FIN flags enabled to both the source and destination hosts. This will apparently cause the TCP/IP stacks of both the source and destination hosts to try to acknowledge that the peer side wants to close the connection and will therefore both send ACK packets.

As a result, a continious loop of ACK packet traffic between the source and destination hosts will occur. This causes a significant increase in network traffic. It also may cause the source and destination service to crash.

A demonstration exploit Win32 binary is available at:

Impact:   A remote user can cause a significant increase in network traffic and can cause the service using the TCP connection to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Me), Windows (98), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  MiM Simultaneous close attack

MiM simultaneous CLOSE attack

Revision 1.1

For Public Release 2001 August 07 08:00 (GMT +0200)

 Vulnerability :
        MiM simultaneous CLOSE attack
 Vendor :
 Category :
        Man in the middle / Denial of service
 Date :
Credits :
        Korhan Kaya <>
        Document ID   :  MW-TCPMD-03


 1 Summary
 2 Affected systems
 3 Details
 4 Results
 5 Solution
 6 Reproducing
 7 Vendor status
 8 References
 9 Disclaimer
10 Contact

1 Summary

  A Man in the middle attacker can cause network
  flood and denial of the service usage by sending
  2 TCP packets per connection.


 This vulnerability is tested against following platforms
 and they are vulnerable.

 Linux kern-v2.4.x
 Microsoft Windows 2000 Server
 Microsoft Windows 2000 Workstation
 Microsoft Windows ME
 Microsoft Windows 98

possibly other platforms are vulnerable.
Pending platform reports.


  It is possible for an attacker to open ethernet
  at promiscious mode and monitor network activity
  to collect SEQ and ACK's numbers of an active TCP

  An attacker can trigger an ACK loop by sending a
  'spoofed' TCP packet with enabled ACK + FIN flags
  to source host and destination host of an active

  TCP Stacks of client and server will acknowledge
  that the opposite side of the connection wants
  to close the connection. And hosts will immedately
  send ACK packets to complete the sequence.

  The vulnerability exploits at this point.

  Figure A :

    TCP A                MIM           TCP B
    1.ESTABLISHED                      ESTABLISHED
    2..            <-- [CTL=ACK+FIN]
    3.                   [CTL=ACK+FIN] -->
    4.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
    5.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
  1500.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
  1501.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT


  Result of this attack is continious loop of ACK packet
  traffic between client and server.After tranmitting
  MANY packets using maximum throughput , target
  connection will be lost. At this period client
  software and target service may lockup ,freeze or

  Number of transmitted packets and the generated
  traffic depends on host locations.

  Attack becomes more effective if it is used against
  local connections such as local netbios/cifs traffic.

  if an attacker applies above scenario on an avarage
  network,every connection attempt from any host to
  any server will fail , the network transport will
  be saturated in a short time , the collusion
  rates will raise to extreme levels and the cpu
  consuming of computers which is connected to
  network are  increased up to %90 due to the
  packet traffic.





   Vulnerability can be reporduced by using atached win32 binary.
   Download the zip file and follow the steps at the readme.txt


  Microsoft corp. is Informed at 07/30/2001 , no response received.


  RFC 761, Page 35+
  RFC 793
  ACK Storm  (see for Similar


  Korhan Kaya is not responsible for the misuse or illegal use of
  any of the information and/or the software listed on this
  security advisory.

  This text may be redistributed freely after the
  release date given at the top of the text, provided that
  redistributed copies are complete and unmodified.


  Please send suggestions, updates, and comments to:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC