ICMP Redirect Attack Causes Windows NT Server and Workstation to Hang

ID: Q225344

The information in this article applies to:

Microsoft Windows NT Workstation versions 4.0, 4.0 SP4
Microsoft Windows NT Server versions 4.0, 4.0 SP4
Microsoft Windows NT Server, Enterprise Edition version 4.0

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SYMPTOMS

Your computer running Windows NT may stop responding (hang) or the computer's performance may degrade drastically when connected to an internetwork segment or to the Internet. Other symptoms may include:

The Perfmon tool's Processor Utilization object may indicate 100 percent utilization.

Issuing a ROUTE PRINT command at a command prompt shows that the route table has changed.

If the computer is disconnected from the network segment or the Internet and then restarted, the problem does not occur again until the computer is reconnected to the network segment or Internet.

CAUSE

This problem is caused by the receipt of multiple Internet Control Message Protocol (ICMP) Redirect packets that are used to change routing table entries. Too many ICMP Redirect packets in a short period of time may cause Windows NT to dedicate an inordinate amount of CPU time to update the routing table and cause the computer to stop responding. In many cases, this scenario indicates a denial of service attack through the use of a program to send multiple ICMP Redirect packets against a specific TCP/IP address.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT. For additional information, please see the following article in the Microsoft Knowledge Base:

Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack

After you have installed Windows NT 4.0 Service Pack 5, you can enable a Windows NT registry entry that allows your computer to disregard ICMP Redirects. To disable ICMP Redirects:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

Start Registry Editor (Regedt32.exe).

Go to the following key:
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services \Tcpip\Parameters
NOTE: The above registry key is one path; it has been wrapped for readability.

On the Edit menu, click Add Value, type EnableICMPRedirects, click REG_DWORD in the Data Type box, and then click OK.

Type 0, and then click OK. NOTE: Setting this registry entry to a value of 1 enables ICMP Redirects.

Quit Registry Editor, and then restart the computer.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article. This problem was first corrected in Windows NT version 4.0 Service Pack 5.

MORE INFORMATION

For additional information about ICMP Redirect packets, please see the following article in the Microsoft Knowledge Base:

Q195686 Explanation of ICMP Redirect Behavior

Additional query words:


Keywords          : kbnetwork ntsecurity ntsp kbbug4.00 kbfix4.00 nt4sp5fix 
Version           : winnt:4.0,4.0 SP4
Platform          : winnt 
Issue type        : kbbug

Last Reviewed: June 21, 1999