Microsoft Windows TCP/IP Stack Vulnerable to a Certain Man-in-the-Middle Denial of Service Attack
SecurityTracker Alert ID: 1002201|
SecurityTracker URL: http://securitytracker.com/id/1002201
(Links to External Site)
Date: Aug 15 2001
Denial of service via network|
Exploit Included: Yes |
A vulnerability has been reported in the Microsoft Windows TCP/IP stack that allows a man-in-the-middle to cause a denial of service condition.|
It is reported that a man-in-the-middle attack that consists of just two TCP packets can cause a significant increase in network traffic and can cause the TCP connection to hang.
A remote user that can monitor network activity and collect the sequence and ACK numbers of an active TCP connection can then trigger an ACK loop by sending a spoofed TCP packet with the ACK and FIN flags enabled to both the source and destination hosts. This will apparently cause the TCP/IP stacks of both the source and destination hosts to try to acknowledge that the peer side wants to close the connection and will therefore both send ACK packets.
As a result, a continious loop of ACK packet traffic between the source and destination hosts will occur. This causes a significant increase in network traffic. It also may cause the source and destination service to crash.
A demonstration exploit Win32 binary is available at:
A remote user can cause a significant increase in network traffic and can cause the service using the TCP connection to crash.|
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|Underlying OS: Windows (Me), Windows (98), Windows (2000)|
Source Message Contents
Subject: MiM Simultaneous close attack|
MiM simultaneous CLOSE attack
For Public Release 2001 August 07 08:00 (GMT +0200)
MiM simultaneous CLOSE attack
Man in the middle / Denial of service
Korhan Kaya <firstname.lastname@example.org>
Document ID : MW-TCPMD-03
2 Affected systems
7 Vendor status
A Man in the middle attacker can cause network
flood and denial of the service usage by sending
2 TCP packets per connection.
2 AFFECTED SYSTEMS
This vulnerability is tested against following platforms
and they are vulnerable.
Microsoft Windows 2000 Server
Microsoft Windows 2000 Workstation
Microsoft Windows ME
Microsoft Windows 98
possibly other platforms are vulnerable.
Pending platform reports.
It is possible for an attacker to open ethernet
at promiscious mode and monitor network activity
to collect SEQ and ACK's numbers of an active TCP
An attacker can trigger an ACK loop by sending a
'spoofed' TCP packet with enabled ACK + FIN flags
to source host and destination host of an active
TCP Stacks of client and server will acknowledge
that the opposite side of the connection wants
to close the connection. And hosts will immedately
send ACK packets to complete the sequence.
The vulnerability exploits at this point.
Figure A :
TCP A MIM TCP B
2.. <-- [CTL=ACK+FIN]
3. [CTL=ACK+FIN] -->
4.CLOSE-WAIT --> <CTL=ACK> --> CLOSE-WAIT
5.CLOSE-WAIT <-- <CTL=ACK> <-- CLOSE-WAIT
1500.CLOSE-WAIT --> <CTL=ACK> --> CLOSE-WAIT
1501.CLOSE-WAIT <-- <CTL=ACK> <-- CLOSE-WAIT
Result of this attack is continious loop of ACK packet
traffic between client and server.After tranmitting
MANY packets using maximum throughput , target
connection will be lost. At this period client
software and target service may lockup ,freeze or
Number of transmitted packets and the generated
traffic depends on host locations.
Attack becomes more effective if it is used against
local connections such as local netbios/cifs traffic.
if an attacker applies above scenario on an avarage
network,every connection attempt from any host to
any server will fail , the network transport will
be saturated in a short time , the collusion
rates will raise to extreme levels and the cpu
consuming of computers which is connected to
network are increased up to %90 due to the
6 HOW TO REPRODUCE VULNERABILITY
Vulnerability can be reporduced by using atached win32 binary.
Download the zip file and follow the steps at the readme.txt
7 VENDOR STATUS
Microsoft corp. is Informed at 07/30/2001 , no response received.
RFC 761, Page 35+
ACK Storm http://www.insecure.org/stf/iphijack.txt (see for Similar
Korhan Kaya is not responsible for the misuse or illegal use of
any of the information and/or the software listed on this
This text may be redistributed freely after the
release date given at the top of the text, provided that
redistributed copies are complete and unmodified.
Please send suggestions, updates, and comments to: