OVH Community, your new community space.

UDP connection flood makes system interrupts use all CPU


Arran
10-02-2013, 20:49
I can't imagine anybody knowing the solution to this and I've been looking all over the internet and haven't found one person with the same problem. In short:

Angry/jealous/whatever kid sends tens of thousands of spoofed UDP packets to server all using different IP addresses causing this: http://support.microsoft.com/kb/2685007

That hot fix either doesn't work properley, or there's something else in Windows causing the problem. Used xperf to find out that the cause of the system interrupts using all the CPU is NDIS.sys as seen here: https://dl.dropbox.com/u/7177600/DPC%20summary.jpg Also notable is that during the attack task manager freezes and receives no updates, and performance monitor flat lines: https://dl.dropbox.com/u/7177600/during.jpg

Looking through the internet at problems with NDIS.sys is that other people have this same problem but they're all home users doing normal stuff, I can't find anything about somebody getting this in a Windows server and you'd think that if this exploit is so easy, kids would be taking down every Windows server because it requires a very small amount of bandwidth, as the bandwidth usage doesn't even spike when all the packets come in.

I've tried all the stuff posted on the Internet, updating the NIC driver and so on and so on and anything that could possibly help. So does anybody have any ideas? (Other than switching to Linux)