I personally worried about the simplicity of the attack. Granted at this stage, its just a DoS, but then take corporate patch cycles into account.. In reality, most aren't going to get patched, at best, for another week or so. Security is still second-fiddle at many companies.

Confirmed with Windows 8.1 Pro w/ IIS ..

Same conditions, must run request twice for the .png (with the IIS rule set)

Not like it matters, but I am toying with the first Range number.. (ie: 40-1884...615)

Edit: crash @ 40-1884, oh-shit-reboot at 100-1884

Confirmed: I couldn't force a BS using the originally supplied range numbers, but changing it as per above to 100 did the trick (windows 2008 non R2 & 2012 R2)