DOCUMENT:Q179129
TITLE :STOP 0x0000000A or 0x00000019 Due to Modified Teardrop Attack
PRODUCT :Microsoft Windows NT
PROD/VER:3.51 4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbbug3.51 kbfix4.00 kbfix3.51 kbfile NTSrvWkst nttcp
--------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows NT Workstation versions 3.51 and 4.0
- Microsoft Windows NT Server versions 3.51 and 4.0
- Microsoft Windows NT Server Enterprise Edition version 4.0
--------------------------------------------------------------------------
SYMPTOMS
========
Windows NT may stop responding (hang) with a STOP 0x0000000A or 0x00000019
message after receiving a number of deliberately corrupted UDP packets.
CAUSE
=====
This behavior occurs due to a variation of the "teardrop" attack. Windows
NT 4.0 with Service Pack 3 and the ICMP-fix is not susceptible to the
original form of the teardrop attack. For more information on the ICMP-fix,
please see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q154174
TITLE : Invalid ICMP Datagram Fragments Hang Windows NT, Windows 95
The modified teardrop attack works by sending pairs of deliberately
constructed IP fragments which are reassembled into an invalid UDP
datagram. Overlapping offsets cause the second packet to overwrite data in
the middle of the UDP header contained in the first packet in such a way
that the datagrams are left incomplete.
As Windows NT receives these invalid datagrams, it allocates kernel memory.
If enough of these invalid datagrams are received Windows NT may hang with
a STOP 0x0000000A or 0x00000019.
RESOLUTION
==========
Windows NT 4.0
--------------
To resolve this problem, obtain the following fix or wait for the next
Windows NT service pack.
This fix should have the following time stamp:
01/09/98 08:16a 143,664 Tcpip.sys (Intel)
01/09/98 08:13a 263,536 Tcpip.sys (Alpha)
This hotfix has been posted to the following Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
hotfixes-postSP3/teardrop2-fix/
NOTE: The above link is one path; it has been wrapped for readability.
NOTE: This fix supercedes the ICMP-fix, the OOB-fix, and the Land-fix
hotfixes.
Windows NT 3.51
---------------
To resolve this problem, obtain the following fix.
This fix should have the following time stamp:
01/14/98 12:04p 123,824 Tcpip.sys (Intel)
01/14/98 12:00p 216,848 Tcpip.sys (Alpha)
This hotfix has been posted to the following Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/
hotfixes-postSP5/teardrop2-fix/
NOTE: The above link is one path; it has been wrapped for readability.
NOTE: This fix supercedes the ICMP-fix, the OOB-fix, and the Land-fix
hotfixes.
STATUS
======
Windows NT 4.0
--------------
Microsoft has confirmed this to be a problem in Windows NT version 4.0.
A supported fix is now available, but has not been fully regression-tested
and should be applied only to systems experiencing this specific problem.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this fix.
Contact Microsoft Technical Support for more information.
Windows NT 3.51
---------------
Microsoft has confirmed this to be a problem in Windows NT version 3.51. A
supported fix is now available, but is not fully regression tested and
should be applied only to systems experiencing this specific problem.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this fix.
Contact Microsoft Product Support Services for more information.
Additional reference words: 4.00 3.51 spoof crash crashes
============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.