Macintosh users should rejoice - unlike the bug-riddled Windoze, MacOS is impervious to most nukes. Be sure you're using OpenTransport (not MacTCP) under MacOS 8.x and you should be safe.
Linux users are also in great shape if you've upgraded to 2.0.32 and 2.1.63 or later to defend against teardrop and bonk.
Aliases/variants: Server Message Block (SMB) logon attackAffects: Windows NT4
Symptoms: System hang or restart. Widespread attacks especially against .edu and .gov sites since March 1.
Patches and Info: See the Microsoft help page last updated Feb 13.
Aliases/variants: boink, newtear, teardrop2Affects: Windows 95 / NT4
Symptoms: Blue screen freeze and crash. If you have been patched since 12/97 against the other nukes below and as of 1/8/98 suddenly started to get the blue screen, you're probably being "bonked".
Patches: Microsoft just released a new patch for Win 95 winsock 2 that covers this attack (after nearly 2 months!). Patches already exist for Win NT4 and Win 95 Winsock 1 at the #mIRC nuke information page.
For more info: See Microsoft's bulletin last updated in late February.
Affects: Windows 95 / NT / 3.11, many othersSymptoms: Freeze and crash. You're probably being "landed" if you were nuke-safe until mid-November or if you're already patched against the other nukes.
Patches: Windows 95/NT, see the Windows defense section.
For more info: See the excellent article from Wired News.
Aliases/variants: tear, TCP/IP fragment bug, overlapfrag bugAffects: Windows 3.1/95/NT, Linux (before 2.0.32 and 2.1.63)
Symptoms: Immediate crash or reboot. If you know you're safe against "winnuke" and "ssping" below and you still crash, you are probably suffering from either "land" or "teardrop". If you just get disconnected it's probably "click".
Patches:
For more info: Visit the teardrop page at Windows Central.
- Windows 95/NT: see News above.
- Linux: upgrade to 2.0.32 / 2.1.63 or later.
Aliases/variants: [the original] nuke, ICMP nuke, ICMP_UNREACHABLE or ICMP dest_unreach bug, WinNewk/WinNewk-XAffects: just about everybody. Can be used against any TCP connection if no filtering is used.
Symptoms: Disconnection from IRC server, but your TCP/IP stack (Winsock) and modem connection are both fine, no crash or reboot. Windows users will usually quit with the message "Connection reset by peer." Other common quit messages are Connection refused, Operation timed out, and Host unreachable, depending on which end of the connection (server or local port) is attacked.
Patches: None exist for standalone computers unless you want to run a personal firewall (see News section). Some systems filter out ICMPs at the router, however, and this will protect you. Unix/Linux sytems can install patches or alter the kernel source to make it more paranoid about ICMPs. Experienced Unix/Linux users can use TCPdump to monitor connections.
Other possibly helpful tricks for IRC users:
- Use unusual server ports (not 6667). Read the server /motd to see what ports they support, or type /stats l server.name.here.
- Change server ports often, perhaps each time you connect to IRC.
- Experiment with various servers. Some are heavily filtered and may be more difficult for nukers to disconnect you from.
Aliases/variants: jolt, sPING, ICMP bug, IceNewk, "Ping of Death".Affects: Windows 95 / NT, and many others!
Symptoms: Computer locks up, usually requiring a reboot (reset switch such as ctrl+alt+del doesn't work). After restart, computer runs as usual.
Patches:
For more info: See the ssping pages at Windows Central and Windows95.com.
- Windows 95/NT: see News above.
- Other platforms: see The Ping o' Death Page
Aliases/variants: Windows OOB bug.Affects: Windows 95 / 3.11 / NT
Symptoms: "Blue Screen" (virtual device driver) error. Computer usually recovers, but Internet connection doesn't, requiring reboot (usual shutdown procedure should work). May also cause computer to lock up.
Patches:
For more info: See the winnuke pages at Windows Central and Windows95.com.
- Win95/NT: see Windows defense above
- Win 3.1x (courtesy of Tjerk Vonck):
- Find SYSTEM.INI on the boot drive of your computer
- Directly under the caption [MSTCP] in SYSTEM.INI insert this line:
BSDUrgent=0
Aliases/variants: ping flood.Affects: all modem connections
Symptoms: Modem lights go berserk indicating overflow of information, Internet applications get very slow, after 15-60 secs you get disconnected. Everything is fine after reconnect (unless you get flooded again), no crash or reboot.
Patches: There are no patches available or possible, since this attack directly exploits the low capacities of your modem. Ask your provider to set up a firewall at the provider to protect against this. Note that personal firewalls (such as those described in the News above) cannot help against this attack.
Affects: whole provider or IRC serverSymptoms: Imagine ICMP flooding for an entire provider or server. Everybody connected gets bogged down and kicked off, attack can last for hours or days.
Patches: There is nothing you can do to defend yourself, but if you do have any information on who is doing the attack, contact the admins at your ISP or IRC server (whichever is being attacked). Again, no personal firewalls can protect you.
For more info: See the Windows Central article which is based on a guide by Craig Huegen.