NetFort Advertising

How to Prevent Attacks Associated with the SMBLoris Vulnerability

1 August 2017 NetFort Blog By: Darragh Delaney
SlowLoris Server Crash

What is SMBLoris?

SMBLoris is a memory-handling bug which was revealed last week at DEF CON. Infosec researcher, Jenna Magius provided more details about the bug on her Twitter feed. The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. Initial reports suggested that SMBLoris was only associated with SMBv1 but this is not the case.

The SMBLoris attack is able to allocate all available memory that a server has, to the point where it won’t even blue screen, and eventually the operating system crashes. It can also prevent logging on to the server because there’s no memory available. If you reboot the server, log files will be of no use if you need to figure out what clients targeted your server.

What you need to do to prevent SMBLoris attacks?

Microsoft have not released a patch for this vulnerability and their advice is to block access from the internet to SMB servers. SMB typically runs over TCP ports 445 and 139.

It is possible to launch an internal attack, so you should also watch out for any network scanning on your network over TCP ports 445 or 139. It could be a sign of a compromised client seeking out active SMB servers.

Using LANGuardian to check for suspicious SMB activity

Our LANGuardian product passively captures network traffic via SPAN, mirrors ports or TAPs. It then analyzes this traffic and captures metadata such as IP addresses, application protocols and versions, user names, file and folder names, web domains and URIs. When it comes to spotting SMBLoris activity, there are two things to watch out for:

Identify Inbound traffic on TCP port 445 or 139

Use the LANGuardian Top Clients report to focus on network traffic where the client IP address is outside your network, and the destination port is TCP 445 or 139. If you get results in the report, then you should block the clients shown if you are not familiar with them or block all inbound access on these SMB ports.

The screenshot below shows an example where a client with an IP address registered in Russia has established connections to servers inside the perimeter firewalls.

Clients connecting inbound on TCP ports 445 or 139

Check for any network scanning on TCP ports 445 or 139

The greatest risk with SMBLoris is with external clients targeting SMB servers hosted locally on your network. However, there is still a risk that a compromised client on your network could bring down your SMB servers. Watch out for any scanning activity associated with TCP ports 445 or 139. It can be a sign of a client generating an inventory of what SMB servers exist on a network.

Use the LANGuardian Network Scanners by Port report to focus in on any scanning activity locally on your network. The screenshot below shows an example of the output of this report. In this case, we do not see any suspicious SMB scanning activity.

SMB Network Scans

The video below shows how you can check your network traffic for any suspicious SMBLoris activity.

If you would like to audit your network, then go ahead and download a 30 day free trial of LANGuardian today.  You have the option to deploy it as a physical or virtual machine, and there are no changes required on your files servers.