This attack is simple and can be launched with a basic C/C++ or Perl program. This is one of the main reasons why it is so important to review the audit files on a daily basis and to fully understand what is being run on any of your systems. However, it would be very easy for an attacker to change the name of the program prior to running it. The easiest way to detect this is to see that the CPU Hog file has been run. The previous system shutdown at 6:59 PM on 9/1/99 was unexpected. When the appropriate auditing is turned on, the following event occurs in the secu rity log and can be viewed with Event Viewer in NT. The events that need to be audited are security policy changes and process tracking. To detect whether an attacker has used the CPU Hog exploit, security auditing must be turned on. The final symptom is when the computer locks up and all processes stop responding, but it is probably too late at this point. Also, as soon as NT starts boosting the priority of all other applications and processes to 15, it is usually a symptom that another application is running at a priority of 16. Microsoft could get around the problem fairly easily in one of two ways: increase the maximum priority given to other, CPU-starved applications above level 15, or increase the priority of the Task Manager above level 16, so it can be used to end CPU-hogging applications.īecause most user applications do not set their priority level to 16, whenever an application does this, it should send up a flag.
#Inetinfo exe cpu usage windows#
Almost all forms of UNIX automatically decrease the priority of the highest-priority process when applications become starved for CPU time, which is the opposite of what Windows NT does. Many forms of UNIX enable administrators to set limits on CPU usage by user, limiting any one user to 50 percent of available CPU cycles, for example. So old in fact that most operating systems have developed a defense against these types of attacks. Hogging the CPU is one of the oldest known forms of Denial of Service attacks. The only way to regain control of the machine after CPU Hog has been run is to reboot the machine. This happens because CPU Hog is running at a level of 16 while all other applications are running at a priority of 15. Thus, all other applications, even system utilities such as Task Manager, never get a chance to execute while CPU Hog is running. However, Windows NT only boosts applications as high as level 15. Windows NT attempts to deal with CPU-hogging applications by boosting the priority of other applications. The exploit works by having the CPU Hog program set it’s priority to the highest level available, which is level 16 when run by a normal user. Applications running under accounts without administrative privileges can set their priority to any of the first 16 of those levels.
An application running under a user account with administrative privileges can set its priority to any of 32 levels, with the highest level giving it more time slices. Applications can set their own priority level, which could impact how often Windows NT allows those applications to run. Priority to the highest level, 16, the system can still gain control because it can set its priority level as high as 32.ĬPU Hog works by exploiting the vulnerability in the way Windows NT schedules the execution of processes.
0 kommentar(er)
