In a WinNuke attack, an attacker sends an Out-Of Band (OOB) packet to the NetBIOS port on the target host on which the Windows system is installed. Then the NetBIOS fragment overlap occurs so that the target host crashes. Another WinNuke attack defense mode is sending IGMP fragment packets.
WinNuke attacks are also called out-of-band (OOB) transmission attacks. They attack destination ports. The generally attacked destination ports are ports 139 and the URG bit is set to 1, that is, the emergency mode. WinNuke attacks take advantage of the vulnerabilities of the Windows operating system. The attackers send packets containing TCP OOB data to target ports. These attack packets, however, are different from normal packets that contain OOB data. The position of the pointer field is not consistent with the actual position, that is, the positions are overlapped. Therefore, the Windows operating system may crash when processing the data.
WinNuke attack defense refers to that the FW first checks whether the destination port of the data packet is 139, the URG bit is 1, and the URG pointer is not empty. Packets that meet the previous three conditions are discarded and attack logs are recorded.
WinNuke attacks may also use Internet Group Management Protocol (IGMP) fragment packets. Generally, IGMP packets are not fragmented and many systems cannot process IGMP fragment packets satisfactorily. Therefore, when IGMP fragment packets are received, WinNuke attacks may occur. The FW can defend against IGMP fragment packets.