Jolt

CVE 2000-0305

Description of Jolt

This DoS attack affects Windows 95 and NT machines.

The Jolt attack sends very large, fragmented ICMP packets to a target machine running Windows 95 or NT. The ICMP packets are fragmented in such a way that the target machine is unable to reassemble them for use. When the ICMP packets are received by the target machine, it freezes up and will not accept input from the keyboard or mouse. This Denial of Service attack has not been shown to cause significant damage to affected systems, and a simple reboot is sufficient to recover from an attack. It should be noted, though, that any unsaved data in open applications will likely be lost.

Symptoms of Attack

Upon being attacked, a Windows 95 or NT machine will lock up, and accept no input from the keyboard or mouse. In a small number of cases, machines have been known to reboot. To recover from the Jolt attack, reboot the affected system. If you happen to be running a port scanner, check for higher than usual activity on port 139 on the affect machine (the port that is used by Jolt). If such activity exists, this could be an indication that a Jolt attack is being run.

How can I fix this vulnerability?

The fix for this vulnerability is to install a patch. Patches currently exist for Windows NT 4.0, Windows NT 3.51 and Windows 95. These patches, and instructions for installing them, may be found at Microsoft's ICMP Datagram Fragments page.

Where can I read more about this?

You can read more about the Jolt attack, and other ICMP based attacks, at Microsoft's ICMP Datagram Fragments page. Also, visit Alphalink's Denial of Service Attacks page to read more about Jolt and other attacks. To keep abreast of existing and emerging Denial of Service attacks, and other security threats, visit the Microsoft Security Advisor, the Windows Central Bug Site, and/or CERT. If information on a specific attack is not located on these sites, keep checking back as they are updated frequently.