DOCUMENT:Q179129 TITLE :STOP 0x0000000A Due to Modified Teardrop Attack PRODUCT :Microsoft Windows NT PROD/VER:4.00 OPER/SYS:WINDOWS KEYWORDS:kbbug4.00 kbbug3.51 kbfix4.00 kbfix3.51 kbfile NTSrvWkst nttcp -------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5 and 3.51 - Microsoft Windows NT Server versions 3.5 and 3.51 - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Server Enterprise Edition version 4.0 -------------------------------------------------------------------------- SYMPTOMS ======== Windows NT may stop responding (hang) with a STOP 0x0000000A message after receiving a number of deliberately corrupted UDP packets. CAUSE ===== This behavior occurs due to a variation of the "teardrop" attack. Windows NT 4.0 with Service Pack 3 and the ICMP-fix or Windows NT 3.51 with Service Pack 5 and the ICMP-fix are not susceptible to the original form of the teardrop attack. For more information on the ICMP-fix, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q154174 TITLE : Invalid ICMP Datagram Fragments Hang Windows NT, Windows 95 The modified teardrop attack works by sending pairs of deliberately constructed IP fragments which are reassembled into an invalid UDP datagram. Overlapping offsets cause the second packet to overwrite data in the middle of the UDP header contained in the first packet in such a way that the datagrams are left incomplete. As Windows NT receives these invalid datagrams, it allocates kernel memory. If enough of these invalid datagrams are received Windows NT may hang with a STOP 0x0000000A. RESOLUTION ========== To resolve this problem, obtain the following fix or wait for the next Windows NT service pack. Windows NT 4.0: This fix should have the following time stamp: 01/09/98 08:16a 143,664 Tcpip.sys (Intel) 01/09/98 08:13a 263,536 Tcpip.sys (Alpha) This hotfix has been posted to the following Internet location: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP3/teardrop2-fix/ Windows NT 3.51: This fix should have the following time stamp: 01/14/98 12:04p 123,824 tcpip.sys (Intel) 01/14/98 12:00p 216,848 tcpip.sys (Alpha) This hotfix has been posted to the following Internet location: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/ hotfixes-postSP5/teardrop2-fix/ NOTE: This fix supercedes the ICMP-fix, the OOB-fix, and the Land-fix hotfixes. STATUS ====== Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information. ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.