STOP 0x0000000A or 0x00000019 Due to Modified Teardrop AttackLast reviewed: February 13, 1998Article ID: Q179129 |
The information in this article applies to:
SYMPTOMSWindows NT may stop responding (hang) with a STOP 0x0000000A or 0x00000019 message after receiving a number of deliberately corrupted UDP packets.
CAUSEThis behavior occurs due to a variation of the "teardrop" attack. Windows NT 4.0 with Service Pack 3 and the ICMP-fix is not susceptible to the original form of the teardrop attack. For more information on the ICMP- fix, please see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q154174 TITLE : Invalid ICMP Datagram Fragments Hang Windows NT, Windows 95The modified teardrop attack works by sending pairs of deliberately constructed IP fragments which are reassembled into an invalid UDP datagram. Overlapping offsets cause the second packet to overwrite data in the middle of the UDP header contained in the first packet in such a way that the datagrams are left incomplete. As Windows NT receives these invalid datagrams, it allocates kernel memory. If enough of these invalid datagrams are received Windows NT may hang with a STOP 0x0000000A or 0x00000019. ntoskrnl!KeBugCheckEx+0x1be
RESOLUTION
Windows NT 4.0To resolve this problem, obtain the following fix or wait for the next Windows NT service pack. This fix should have the following time stamp:
01/09/98 08:16a 143,664 Tcpip.sys (Intel) 01/09/98 08:13a 263,536 Tcpip.sys (Alpha)This hotfix has been posted to the following Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP3/teardrop2-fix/NOTE: The above link is one path; it has been wrapped for readability. NOTE: This hotfix supersedes the fix referred to in the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q143478 TITLE : Stop 0A in TCPIP.SYS When Receiving Out Of Band (OOB) Data ARTICLE-ID: Q154174 TITLE : Invalid ICMP Datagram Fragments Hang Windows NT, Windows 95 ARTICLE-ID: Q165005 TITLE : Windows NT Slows Down Due to Land Attack ARTICLE-ID: Q177245 TITLE : Multiprocessor Computer May Hang Because of Tcpip.sys Windows NT 3.51To resolve this problem, obtain the following fix. This fix should have the following time stamp:
01/14/98 12:04p 123,824 Tcpip.sys (Intel) 01/14/98 12:00p 216,848 Tcpip.sys (Alpha)This hotfix has been posted to the following Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/ hotfixes-postSP5/teardrop2-fix/NOTE: The above link is one path; it has been wrapped for readability. NOTE: This fix supercedes the ICMP-fix, the OOB-fix, and the Land-fix hotfixes.
STATUS
Windows NT 4.0Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.
Windows NT 3.51Microsoft has confirmed this to be a problem in Windows NT version 3.51. A supported fix is now available, but is not fully regression tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Product Support Services for more information.
|
Additional reference words: 4.00 3.51 spoof crash crashes bonk.c boink.c
© 1998 Microsoft Corporation. All rights reserved. Terms of Use. |