There is a new 0-day vulnerability called SMBloris presented yesterday ny Sean Dillon @zerosum0x0 DEFCON 25 which allows remote attacker to run a DoS attack against SMB called SMBLoris. Remote attacker can lunch DoS attack by requesting multiple SMB requests to the remote machine. SMBLoris vulnerability can be rendered with a single machine and a low bandwidth connection as well. Hence the name is similar as SlowLoris (Similar DoS Vulnerability on Web Servers). Recommended Action: While this has been reported earlier to Microsoft, Microsoft set the risk rating as Medium. and wont issue any Patch for this vulnerability on SMB v1. Hence the best practice is as follows:
1- Assess dependency on SMBv1
2- Block Ingress SMBv1 request on Internet Facing Servers
3- For those dependent Servers and Applications, Monitor the ingress Multiple SMB request connections on port 445 and raise the Flag for it, (Detail: Log all incoming SMB request on firewall, and then define a role on SIEM to detect and raise a flag for multiple SMB request coming from a single source.)
4- and plan to upgrade to the higher SMB version (SMBv2,SMBv3)
5- For independent machines and application, Block SMBv1.
Reference:
1-http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html
2-https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/
The adventures of an Information Security Consultant 