				   Microsoft DNS Server
                          Subject to Denial of Service Attack

                            Reported May 27 ,1997 by Stefan Arentz

  Systems Affected

  Windows NT 4.0, up to Service Pack 3, running the MS DNS Server

  The Problem

  Microsoft DNS can be made to crash by redirecting the output of the Chargen service to the MS DNS
  service. A typical attack might be launched from a system using the following command:

  $ telnet ntbox 19 | telnet ntbox 53

  The above command is shown as seen on a UNIX command line. Once the command is issued, a telnet
  session is opened on port 19 (chargen) of the ntbox, and all output is redirected to a second telnet
  session opened on port 53 (dns) of the same ntbox. Launching the attack in this manner may subject the
  attacker to the same barrage of packets the DNS service will experience. But none-the-less, the attack is
  successful in crashing MS DNS.

  Stopping the Attack

  Stopping the attack is done by performing one of the following: 

  Don't run MS DNS until it's proven to be less bug ridden. Instead, you may opt for running a free version of
  BIND for NT which is not subject to this attack. If you rely on MS DNS interoperating with WINS, you may
  opt for MetaInfo's DNS, which is a direct BIND port and works great in conjunction with WINS. If you must
  go on using MS DNS, be forewarned that it may be incredibly difficult to stop this attack, since it can be
  done through impersonation and by using non-standard ports for chargen. 

  You can block port TCP port 53 using NT's built-in TCP/IP filtering. This stops zone transfers and TCP
  based name resolutions. This does not stop the UDP port 53 from continuing to operate normally. DNS
  normally relies on UDP for its name resolution transactions. 

  Or, you can filter TCP port 53 on your routers to bordering networks, allowing only trusted secondary DNS
  servers to do zone transfers. 

  Any one of the above three solutions should help you stop the attack cold. 

  This type of attack (pointing chargen output to other ports) can go along way towards bogging down lots of
  services, some of which die like MS DNS. You'd be well advised to disable NT's Simple TCP/IP Services
  (if installed) using Control Panel | Services. This stops the chargen, echo, daytime, discard, and quote of
  the day (qotd) services. Any of which could be used for denial of service attacks. None of these services
  are required for proper network operation - although you should be aware that a few types of network
  monitors occasionally test the echo port when they cannot get a response using ping. If you find the need
  to run one or more of these services independant of the others, you can turn on/off each respective service
  by adjusting Registry entries found in the following subtree:

  HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SimpTcp\Parameters

  By changing the established value of both the EnableTcpXXXX and EnableUdpXXXX parameters from 0x1 to
  0x0, you effectively disable that particular service.

  The following parameters are available for adjustment:

       EnableTcpChargen 
       EnableTcpDaytime 
       EnableTcpDiscard 
       EnableTcpEcho 
       EnableTcpQotd 
       EnableUdpChargen 
       EnableUdpDaytime 
       EnableUdpDiscard 
       EnableUdpEcho 
       EnableUdpQotd

  BE CAREFUL WHEN MAKING REGISTRY CHANGES, AS ERRORS CAN RENDER A SYSTEM
  NON-BOOTABLE. 

  Keep in mind that this does not stop attacks that originate from other system's chargen ports, nor will it
  stop impersonated port attacks.

  Microsoft's Response:

  On June 10, 1997, Microsoft posted Hotfixes for this and other DNS related problems on the FTP site.

  If you want to learn more about new NT security concerns, subscribe to NTSD. 

  Credit: 
  Stefan Arentz
  Post here on The NT Shop May 27, 1997