As noted earlier, in the network the Internet increasing propagation obtains the attacks on the accessibility of data. The possibility of their successful conducting escapes from the vulnerability of the base protocols of exchange of data carriers in the network the Internet. In addition to this, are typical weaknesses of the realization of protocols TCP/IP, inherited by contemporary operating systems. Let us examine the attacks on the accessibility of the base functions Windows NT, which received propagation into 1997-1998 and the caused need developments by firm Microsoft of the special additions of software. The consequence of conducting such attacks is the disturbance of the functioning of entire system independently of utilized applied supply program! In the brackets are indicated the numbers and the names its related documents in Microsoft Knowledge Base (KB).

Attack OOB

It is carried out to port 139 (NetBIOS). In the case of the accessibility of service to the attacked computer the communication, given by criminal, is sent. In this case is used the regime of transfer Out-of- bands, i.e., out of order, with the high priority. With obtaining of a packet of the type with the established flag Urgent indicated the system places marker on the input flow of data, expecting obtaining the following fragment of communication. The consequences of attack depend on the version of software, configuration network protocols and so forth and are caused either the crash of system with error A Stop of OXOOOOOOOA in module Tcpip.sys or refusal in the net exchange of data carriers.

This attack influences on Windows NT 3.51 and 4.0, and also Windows 95. [ Q143478: Stop OA In tcpip.sys When Receiving Out Of Band (OOB) Data ]

Protection: addition oob-fix - into the dependence on version Windows NT and the setting of the feudatory packet of renovation.

Attack GetAdmin

In the network the Internet was disseminated utility GetAdmin, which gave the usual users of the right of the administrator of system by the start of the identifiers of users in-group Administrators. GetAdmin was used vulnerability to one of the low-level functions, which does not check its parameters, which makes it possible to transmit with its call of the values, which disconnect the control of the privileges of diagnostic routine. This gives the possibility to be connected to any process, neglected in the system, and, in turn, to start sub process in the context of data security process. Utility GetAdmin was connected to process of WinLogon, which works in the context to secure system, and, using standard functions, was added the necessary user into group Administrators. As a result was accomplished the unsanctioned allotment of legal user with the rights of the administrator of system, which led to the possibility of the unsanctioned access by the name of administrator.

Attack is applicable to Windows NT 4.0 workstation and Server. In Windows NT 3.51 indicated vulnerability is absent. [ Q146965: GetAdmin Utility Grants Users Administrative Rights ]

Protection: addition GetAdmin-fix, depending on version Windows NT and established packet of renovation. Addition does not make it possible to disconnect checking the privileges of diagnostic routine how is reached the impossibility of the connection to any process and of the starting of tasks from its name. It is necessary to note that any user, to which were given the rights "Debug Programs", will always be able to successfully use utility GetAdmin for obtaining the rights of administrator (since the rights "Debug Programs" make possible for each user to be connected to any process). Consequently, by rights "Debug Programs" must be allotted only the trusted users (with the installation of system these rights they are allowed only to the members of group Administartors).

Attack Ssping/Jolt

The attack, named on the name of the realizing programs, consists of the message of several defragmented packets ISMR (ISMR_ESNO) large sizes in parts. WASPS Windows NT, attempting to gather packet, it hovers, which can lead to the disturbance of the integrity of data. Attack acts analogously on the early realizations POSIX and SYSV.

It can be applicable to Windows NT 4.0 workstation and Server, Windows NT 3.51 workstation and Server, Windows 95. [ Q154174: Invalid YSMR Data gram Fragments Hang Windows NT, Win 95]

Protection: addition icmp-fix, depending on version Windows NT and established packet of renovation.

Attack on services Simple TCP/IP

Criminal sends the flow of diagrams UDP by the broadcasting address of the sub network, in which is located computer Windows NT with the established services Simple TCP/IP. The initial address of such packets is counterfeited, as the port of designation is indicated port 19 (service chargen). Computer Windows NT answers on each such demand, causing the avalanche of data gram UDP. This leads to a considerable increase in the traffic of subnetwork and it deprives the legal services of the possibility of exchange of data carriers.

Attack is applicable to Windows NT 4.0 workstation and Server. [ Q15446: Denial of Service Attack Against WinNT Simple TCP/IP Services ]

Protection: addition simptcp-fix, depending on version Windows NT and established packet of renovation. Addition introduces changes in TCP/IP, Windows sockets and Simple TCP/IP, impeding possibilities of the realization of such attacks.

Attack LAND

It is named on the name of that extended in the network the Internet realization. It consists in the message of packets TCP with flag SYN in which initial address and port are equal to address and port of designation. Because of this occurs "recycling" of information packets with the established flag ASK: the attacked computer sends to itself a large quantity of packets. This leads to the essential loss of computational resources, and in a number of cases and to the emergency termination Windows NT.

Attack is applicable to Windows NT 4.0 workstation and Server, and also Windows 95. [ Q165005: Windows NT Slows Down Due To Land Attack ]

Protection: addition land-fix, depending on version Windows NT and established packet of renovation.

Attack TEARDROP

It is named on the name of that extended in the network the Internet realization. It consists of the sending of the specially created pairs fragmented Ip- packets, which after method are collected into incorrect UDP. The being overlapped displacement causes the rerecording of data in the middle of title UDP-de1tagrammy, which is contained in the first packet, by the second packet. As a result is formed unfinished data, placed in the region the memory of nucleus Windows NT. Obtaining and working a large quantity of such pairs of packets they lead to the emergency termination Windows NT with communication STOP of OxOOOOOOOA.

It is applied to Windows NT 4.0 workstation and Server. [ Q179129: STOP OxOOOOOOOA Due to Modified Teardrop Attack ]

Protection: addition teardrop2-fix. Depending on version Windows NT and established packet of renovation.

Attack Denial of Service

On protocol SMB is sent the demand to the connection to server Windows NT with the indication of the incorrect size of subsequent data. Working by the server of this demand leads to the emergency termination of system with the delivery of communication STOP of OxOOOOOOOA (STOP 0kh000000shch0) or to its hovering.

It is applied to Windows NT 4.0 server. [ Q180963: Denial of Service Attack Causes Windows NT Systems to Restart ]

Protection: addition srv-fix, depending on version Windows NT and established packet of renovation.

Attack SECHOLE

Its name was called on the name of that extended in the network the Internet program. It is analogous to attack GetAdmin with the difference that for obtaining the privileges of fixing uses the interface function OpenProcess. As a result the rights of administrator allot legal user non-authorized.

It is applied to Windows NT 4.0 workstation and Server, Windows NT 3.51 workstation and Server. [ Q190Z88: SecHole Lets No administrative Users Gain Debug Level Access ]

Protection: addition priv-fix, depending on version Windows NT and established packet of renovation.

Attack ICMP Request

It consists in the message of packet YSMR Subnet Mask Address Request to the net interface, configured to the use of several IP- addresses, which belong to one sub network. System Windows NT emergency completes with the supply of communication STOP of OxOOOOOOOA (OxAOOZZOOO, 0x00000002, 0x00000000, Oxf381329B), where the fourth parameter relates to the region the memory of module Tcpip.sys.

It is applied to Windows NT 4.0 workstation and Server. [ Q192774: Stop OxOOOOOOOA In tcpip.sys Processing An ICMP Packet ].

The described vulnerability was for the first time liquidated in the packet of renovation Windows NT Service Pack 4.