WinNuke attack
advICE :Intrusions : 2000303

Summary

This indicates a probable attempt to crash the system.

Details

The "WinNuke" is a very old DoS attack and probably has no affect against newer systems. These days, it often indicates that a "script-kiddy" is attacking your system.

Defense

Download and install the patch from Microsoft, see below.

Systems Affected

Win95 OSR2 and earlier, WinNT 4.0 SP3 and earlier. Any system purchased since 1998 is likely unaffected by this.

Notes

The source of the problem is when a TCP feature known as "Out-of-Band (OOB)" data is used. Since this feature is not really used by any Internet applications, the Microsoft TCP/IP stack had bugs that went undiscovered. This feature sets the URG bit on TCP frames on ports 135-139. Some versions of Microsoft Windows will crash if they receive this frame. See the Microsoft Advisory for more information.

Trigger

This event triggers whenever a TCP packet is seen sent to common Windows ports (e.g. ports 135, 137, 138, 139) with the "urgent" (aka. Out-of-band, URG) flag set.

parametric information port The TCP destination port flags The TCP flags from the offending frame. The flags are: S (SYN), F (FIN), R (RESET), P (PUSH), A (ACK), U (URGENT), 4 (low-order unused bit), 8 (high-order unused bit) options The TCP options from the offending frame. The options are displayed as "option-value", separated by commas. No-ops are not displayed

 
Version appeared: