20-year gap in the SMB v1, v2 and v3 protocol, which Microsoft does not pay
What can I say. Microsoft went the whole way and claims that it will not cover the gap presented during the Defcon conference, because it directly affects port 445, for which an incoming connection should be blocked. According to Microsoft, that's enough to solve the problem. Hector Martin "marcan" has a different opinion and the researcher has published a short PoC and claims that despite disabling all versions of the SMB protocol, Windows 10 is still susceptible to the attack of extended access denied service (DDoS).
Luka even gained its own name - SMBLoris . This is a DDoS type attack that can be run from Windows 2000 to Windows 10, even when all versions of SMB are disabled. Also Linux is vulnerable with its Samba and NetBIOS protocol on port 139. In the case of Linux, it is enough to limit the number of users connecting to the server at one time, e.g. up to 1000. You can do this by editing the configuration file in /etc/samba/smb.conf (quantity the users that can serve the server at one time is limited by RAM):
max smbd processes = 1000
What is the attack?
By default, the NetBIOS Session Service allocates 128 KB of memory for each TCP connection, which is only released after the connection or after 30 seconds if no command has been performed. If we use 65,535 ports for IPv4 when connecting the client to the server, it is possible to reserve up to 8GB of RAM. If we use IPv4 and IPv6, it is possible to reserve up to 16GB of memory using all available ports (131 070). If we use 10 IPv4 addresses at one time, we can reserve 655,535 ports and up to 80GB RAM.
|Scenario||Socket||Attack Cost||Memory Impact|
|Dual IPv4 & IPv6||131 070||512KB||16GB|
|10 IPs||655 535||2.5MB||80GB|
Attack of distributed denial of access to the service (DDoS) makes the machine vulnerable completely unusable. Microsoft will not release patches. Instead it recommends administrators to block incoming connections to port 445. We're not prepared any of the exploit would give the attacker the ability to remote code execution.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.