Aug 08 2017 09:32 AM
Aug 15 2017 02:00 PM
Hi. SMBLoris has no known attack vehicles, just a demo proof of concept. MSRC rated it as Moderate/DoS because it is blocked at the network edge by normal port 445 firewall rules. Inside of a network, its usage would only announce and pinpoint the attacker - a single node sending a large number of unauthenticated SMB connections. Those connections can then also be temporarily blocked by individual node's own software firewalls blocking 445 until the attackers inside the LAN are removed. Since the attack's novelty is that only a single node is involved, a network capture running against the target that you temporarily exposed would quickly identify the client. It would only be somewhat effective in an entirely unmanaged network with no permanent IT staff.
It is likely we will patch this in a later semi-annual release of Windows /Windows Server, in order to prevent unmanaged consumer users with no firewalls configured from being affected. Moderate-rated vulnerabilities often get fixed in this manner for the same of completeness. To have that change backported is much less likely though. The patch itself carries some application compatibility risk (as do all rate limiters), perhaps leading to affecting customers unnecessarily, so it must be designed and test carefully.