20-year gap in the SMB v1, v2 and v3 protocol, which Microsoft does not pay

What can I say. Microsoft went the whole way and claims that it will not cover the gap presented during the Defcon conference, because it directly affects port 445, for which an incoming connection should be blocked. According to Microsoft, that's enough to solve the problem. Hector Martin "marcan" has a different opinion and the researcher has published a short PoC and claims that despite disabling all versions of the SMB protocol, Windows 10 is still susceptible to the attack of extended access denied service (DDoS).

Luka even gained its own name - SMBLoris . This is a DDoS type attack that can be run from Windows 2000 to Windows 10, even when all versions of SMB are disabled. Also Linux is vulnerable with its Samba and NetBIOS protocol on port 139. In the case of Linux, it is enough to limit the number of users connecting to the server at one time, e.g. up to 1000. You can do this by editing the configuration file in /etc/samba/smb.conf (quantity the users that can serve the server at one time is limited by RAM):

max smbd processes = 1000 

What is the attack?

By default, the NetBIOS Session Service allocates 128 KB of memory for each TCP connection, which is only released after the connection or after 30 seconds if no command has been performed. If we use 65,535 ports for IPv4 when connecting the client to the server, it is possible to reserve up to 8GB of RAM. If we use IPv4 and IPv6, it is possible to reserve up to 16GB of memory using all available ports (131 070). If we use 10 IPv4 addresses at one time, we can reserve 655,535 ports and up to 80GB RAM.

Scenario Socket Attack Cost Memory Impact
Baseline 1 4B 128KB
Single IPv4 65,535 256KB 8GB
Single IPv6 65,535 256KB 8GB
Dual IPv4 & IPv6 131 070 512KB 16GB
10 IPs 655 535 2.5MB 80GB

Attack of distributed denial of access to the service (DDoS) makes the machine vulnerable completely unusable. Microsoft will not release patches. Instead it recommends administrators to block incoming connections to port 445. We're not prepared any of the exploit would give the attacker the ability to remote code execution.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.