Understanding WinNuke Attacks

OS-specific denial-of-service (DoS) attacks, such as WinNuke attacks, can cripple a system with minimal effort.

WinNuke is a DoS attack targeting any computer on the Internet running Windows. The attacker sends a TCP segment—usually to NetBIOS port 139 with the urgent (URG) flag set—to a host with an established connection (see Figure 83). This introduces a NetBIOS fragment overlap, which causes many machines running Windows to crash. After the attacked machine is rebooted, the following message appears, indicating that an attack has occurred:

An exception OE has occurred at 0028:[address] in VxD MSTCP(01) +000041AE. This was called from 0028:[address] in VxD NDIS(01) + 00008660. It may be possible to continue normally.Press any key to attempt to continue.Press CTRL+ALT+DEL to restart your computer. You will lose any unsaved information in all applications.Press any key to continue.

Figure 83: WinNuke Attack Indicators

Image WinNuke_att.gif

If you enable the WinNuke attack defense screen option, JUNOS Software scans any incoming Microsoft NetBIOS session service (port 139) packets. If JUNOS Software observes that the URG flag is set in one of those packets, it unsets the URG flag, clears the URG pointer, forwards the modified packet, and makes an entry in the event log noting that it has blocked an attempted WinNuke attack.

Understanding WinNuke Attacks

Related Topics