CVE-2000-1227

Step 1: Connection Initiation: The attacker sends multiple SMBnegprot requests to the target server's SMB service (port 139 or 445). These requests initiate a connection attempt but do not complete the SMB negotiation process. Step 2: Resource Allocation: The server allocates resources (e.g., connection slots, memory) for each received SMBnegprot request, expecting a subsequent response from the client. Step 3: Response Neglect: The attacker intentionally does not read the server's response to the SMBnegprot request. This leaves the connection in a half-open state. Step 4: Resource Exhaustion: The attacker repeats steps 1-3, sending a large number of SMBnegprot requests without reading the responses. Each incomplete connection consumes server resources. Step 5: Denial of Service: As the server's resources are exhausted, it becomes unable to accept new connections, effectively causing a denial of service. Legitimate users are unable to access shared resources.

The vulnerability stems from a flaw in how the SMB service handles connection requests. Specifically, the server fails to properly manage resources when a client initiates a connection (SMBnegprot request) but doesn't complete the connection handshake by reading the server's response. This leads to a resource leak, where the server allocates resources for each incomplete connection. Repeatedly sending these incomplete requests consumes available connection slots, eventually exhausting the server's capacity and causing a DoS. The root cause is a lack of proper connection tracking and resource cleanup for abandoned SMB sessions.