nt.pdc.dos.txt

1999-08-17T00:00:00
ID PACKETSTORM:11819
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            ` Date: Fri, 4 Jun 1999 14:01:01 -0700  
Reply-To: Carl Byington <carl@FIVE-TEN-SG.COM>  
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>  
From: Carl Byington <carl@FIVE-TEN-SG.COM>  
Subject: denial of service attack against NT PDC from Win95 workstation  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
I searched the archives, but did not find this one discussed.  
  
We have an NT PDC and a bunch of Win95 workstations. The NT domain name is  
AAA and the PDC netbios machine name is BBB. Normally, the Win95  
workstations are configured to logon to the NT domain, and with the  
identification tab set to workgroup=AAA. This works nicely.  
  
However, we misconfigured a Win95 box with workgroup=BBB. No symptoms were  
evident until the server was rebooted after a power failure (properly  
handled by an APC UPS). We then got the 'BBB is not a valid computer name'  
which caused the workstation service to fail to start, and that in turn  
prevented a bunch of other stuff from starting. The event log entry pointed  
to the IP address of the PDC as being responsible for trying to add the  
conflicting name BBB.  
  
We could manually start the affected services, starting with the  
workstation service. At that point, things seemed to be more or less  
normal, but user manager for domains had problems opening the user list.  
  
These symptoms seemed to be similar to those listed in MS article Q166184,  
but we don't have RAS installed on that machine, and we don't have any  
static WINS entries. However, we did not scroll thru the full list of  
workstations in the WINS database, or we would have seen the Win95  
workstation that had registered the name BBB.  
  
At this point, we deleted the entire WINS database and rebooted the server.  
Things worked normally until that workstation again registered its name as  
BBB, but this time the event log pointed to the workstation IP so we could  
finally track it down.  
  
The server is running NT4, SP3.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: 4.5  
  
iQCVAgUBN1g+hdZjPoeWO7BhAQFtoAQAqEkBc/RfrRuIyddbQRZ+gJxHYnflk0NU  
pAv+vx9vbI/qAVzdPH2anLMyb4Sci042Tix9bsRCHIB3V6f8qqBgaOSpJjzZEn8z  
OmY+sxlgnuC6yO4c2VWXJTh4OGq6HS0wjhPdQKfKHvYe5BvePeJ6+S8gl5BuG5lO  
pV33Ftg1JRU=  
=Dt/i  
-----END PGP SIGNATURE-----  
  
PGP key available from the key servers.  
Key fingerprint 95 F4 D3 94 66 BA 92 4E 06 1E 95 F8 74 A8 2F A0  
  
http://www.five-ten-sg.com  
  
`