Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Windows TCP/IP Denial of Service Attacks (Sockstress)

(MS09-048, CVE-2008-4609, CVE-2009-1925, CVE-2009-1926)

Multiple vulnerabilities exist in the way Microsoft Windows processes TCP/IPconnections.

TCP/IP is a set of networking protocols that are widely used on the Internet to connect between diverse hardware architectures and that run various operating systems.

A remote attacker could exploit these vulnerabilities by sending specially crafted TCP/IP packets to an affected system. Successful exploitation of these vulnerabilities could allow the attacker to take complete control of the affected system or cause the affected system to become non-responsive.

CVE-2009-4609 (Sockstress)

This denial of service vulnerability is due to the Windows TCP/IP stack failing to properly handle large numbers of established TCP connections. An attacker could exploit the vulnerability by flooding a system with an excessive number of TCP connections by sending specially crafted packets with the TCP receive window size set to a very small value.


Figure 1 Sockstress Attack

After the connection is established (3 way handshake), the attacker sends an HTTP request and sets the window size to zero. The victim sends zero-window probes, but no data since the window size is 0. The connection keeps consuming kernel memory and, by creating large numbers of such connections, attackers can exhaust TCP memory pool and block new connections from opening.

Check Point provides a protection that detects and blocks attempts to exploit this TCP vulnerability.

CVE-2009-1925

This is a SYN flood attack in which the client doesn’t send the final acknowledgment to the server's SYN-ACK response in the handshaking sequence, which causes the server to keep sending SYN-ACKs until it eventually times out.

The vulnerability is due to the Windows TCP/IP stack failing to clean up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information. An attacker could exploit this vulnerability by creating special network packets and sending them to a listening service on an affected system.

Check Point has protected against this vulnerability since 2002. No update is required to address this issue if theprotection for blocking SYN attacks has been applied.

CVE-2009-1926

This denial of service vulnerability is due to the Windows TCP/IP stack allowing connections to hang indefinitely in the FIN-WAIT-1 or FIN-WAIT-2 state under certain conditions. An attacker could exploit this vulnerability by flooding a system with connections designed to keep the TCP connection state in the FIN-WAIT-1 or FIN-WAIT-2 state indefinitely.

When an attacker connects, the server performs a three way handshake and advertises a window size of 0. The server then sends zero window probes to the client. Once that queue is emptied, the server will stop sending zero window probes, resulting in the connection staying open and in the FIN_WAIT_1 or FIN_WAIT_2 state indefinitely. A large number of such connections could result in denial of service.

Check Point protects against this vulnerability by enforcing the window size.

Protection

Check Point provides protections that detect and block attempts to exploit these TCP vulnerabilities though its integrated IPS products: IPS Software Blade, and SmartDefense. Protection is also available from Check Point’s dedicated IPS, IPS-1.