DOCUMENT:Q193233 TITLE :RPCSS.EXE Consumes 100% CPU due to RPC-spoofing Attack PRODUCT :Microsoft Windows NT PROD/VER:4.00 OPER/SYS:WINDOWS KEYWORDS:kbbug kbbug4.00 kbfix4.00 kbfix -------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Server version 4.0, Terminal Server Edition -------------------------------------------------------------------------- SYMPTOMS ======== System and network performance could degrade and the Rpcss.exe process could consume 100 percent of CPU time. Analyzing the network with a protocol analyzer shows multiple RPC REJECT packets (addressed to UDP port 135) between two or more systems because of an RPC spoofing attack. CAUSE ===== This problem is caused by a malicious attack on the remote procedure call (RPC) components in Windows NT. A UDP packet with a destination port of 135 can be spoofed so that it appears as if one datagram RPC server sent bad data to another datagram RPC server. The second server returns a REJECT packet. The first server replies with another REJECT packet creating a loop that is not broken until a packet is dropped. If this spoofed UDP packet is sent to multiple computers, an infinite loop may be created, consuming processor resources and network bandwidth. RESOLUTION ========== A supported fix that corrects this problem is now available from Microsoft, but has not been fully regression tested and should be applied only to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends you apply this fix. Otherwise, wait for the next Windows NT service pack, which will contain this fix. To resolve this problem immediately, download the fix as described below. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/support/supportnet/default.asp Windows NT 4.0 -------------- The English version of this fix should have the following file attributes or later: Date Time Size File Name Platform ------------------------------------------------------------- 09/04/98 08:45p 330,000 Rpcrt4.dll (x86) 09/04/98 08:45p 581,904 Rpcrt4.dll (Alpha) This hotfix has been posted to the following Internet location as Snk-fixi.exe and Snk-fixa.exe: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP3/Snk-fix/ NOTE: The above link is one path; it has been wrapped for readability. Windows NT 4.0, Terminal Server Edition --------------------------------------- The English version of this fix should have the following file attributes or later: Date Time Size File Name Platform ------------------------------------------------------------- 09/29/98 12:52p 313,104 Rpcrt4.dll (x86) 09/29/98 01:02p 548,624 Rpcrt4.dll (Alpha) This hotfix has been posted to the following Internet location as Snk-fixi.exe and Snk-fixa.exe: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/ hotfixes-postSP3/Snk-fix/ NOTE: If you contact Microsoft to obtain this fix, a fee may be charged. This fee is refundable if it is determined that you only require the fix you requested. However, this fee is non-refundable if you request additional technical support. For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q154871 TITLE : Determining If Your Product Is Eligible for No-Charge Technical Support STATUS ====== Microsoft has confirmed this problem could result in some degree of security vulnerability in Windows NT version 4.0 and Windows NT 4.0, Terminal Server Edition. MORE INFORMATION ================ For more information, please see the following Microsoft Security Bulletin: http://www.microsoft.com/security/bulletins/ms98-014 Additional query words: denial of service attack snork tse wts ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.