X-Sender: carl@mail.five-ten-sg.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-ID: <4.1.19990604133755.019936c0@mail.five-ten-sg.com> Date: Fri, 4 Jun 1999 14:01:01 -0700 Reply-To: Carl Byington Sender: Windows NT BugTraq Mailing List From: Carl Byington Subject: denial of service attack against NT PDC from Win95 workstation To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM -----BEGIN PGP SIGNED MESSAGE----- I searched the archives, but did not find this one discussed. We have an NT PDC and a bunch of Win95 workstations. The NT domain name is AAA and the PDC netbios machine name is BBB. Normally, the Win95 workstations are configured to logon to the NT domain, and with the identification tab set to workgroup=AAA. This works nicely. However, we misconfigured a Win95 box with workgroup=BBB. No symptoms were evident until the server was rebooted after a power failure (properly handled by an APC UPS). We then got the 'BBB is not a valid computer name' which caused the workstation service to fail to start, and that in turn prevented a bunch of other stuff from starting. The event log entry pointed to the IP address of the PDC as being responsible for trying to add the conflicting name BBB. We could manually start the affected services, starting with the workstation service. At that point, things seemed to be more or less normal, but user manager for domains had problems opening the user list. These symptoms seemed to be similar to those listed in MS article Q166184, but we don't have RAS installed on that machine, and we don't have any static WINS entries. However, we did not scroll thru the full list of workstations in the WINS database, or we would have seen the Win95 workstation that had registered the name BBB. At this point, we deleted the entire WINS database and rebooted the server. Things worked normally until that workstation again registered its name as BBB, but this time the event log pointed to the workstation IP so we could finally track it down. The server is running NT4, SP3. -----BEGIN PGP SIGNATURE----- Version: 4.5 iQCVAgUBN1g+hdZjPoeWO7BhAQFtoAQAqEkBc/RfrRuIyddbQRZ+gJxHYnflk0NU pAv+vx9vbI/qAVzdPH2anLMyb4Sci042Tix9bsRCHIB3V6f8qqBgaOSpJjzZEn8z OmY+sxlgnuC6yO4c2VWXJTh4OGq6HS0wjhPdQKfKHvYe5BvePeJ6+S8gl5BuG5lO pV33Ftg1JRU= =Dt/i -----END PGP SIGNATURE----- PGP key available from the key servers. Key fingerprint 95 F4 D3 94 66 BA 92 4E 06 1E 95 F8 74 A8 2F A0 http://www.five-ten-sg.com