[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Understanding WinNuke Attacks

OS-specific DoS attacks such as WinNuke attacks can cripple a system with minimum effort.

Before You Begin

For background information, read OS-Specific DoS Attacks Overview.

WinNuke is a DoS attack targeting any computer on the Internet running Windows. The attacker sends a TCP segment—usually to NetBIOS port 139 with the urgent (URG) flag set—to a host with an established connection (See Figure 154). This introduces a NetBIOS fragment overlap, which causes many machines running Windows to crash. After rebooting the attacked machine, the following message appears, indicating that an attack has occurred:

An exception OE has occurred at 0028:[address] in VxD MSTCP(01) +
000041AE. This was called from 0028:[address] in VxD NDIS(01) +
00008660. It may be possible to continue normally.
Press any key to attempt to continue.
Press CTRL+ALT+DEL to restart your computer. You will lose any unsaved information in all applications.
Press any key to continue.

Figure 154: WinNuke Attack Indicators

Image WinNuke_att.gif

If you enable the WinNuke attack defense screen option, JUNOS Software scans any incoming Microsoft NetBIOS session service (port 139) packets. If JUNOS Software observes that the URG flag is set in one of those packets, it unsets the URG flag, clears the URG pointer, forwards the modified packet, and makes an entry in the event log noting that it has blocked an attempted WinNuke attack.

Related Topics


[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]