Date:         Fri, 4 Jun 1999 14:01:01 -0700
  Reply-To:     Carl Byington <carl@FIVE-TEN-SG.COM>
  Sender:       Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
  From:         Carl Byington <carl@FIVE-TEN-SG.COM>
  Subject:      denial of service attack against NT PDC from Win95 workstation

  -----BEGIN PGP SIGNED MESSAGE-----

  I searched the archives, but did not find this one discussed.

  We have an NT PDC and a bunch of Win95 workstations. The NT domain name is
  AAA and the PDC netbios machine name is BBB. Normally, the Win95
  workstations are configured to logon to the NT domain, and with the
  identification tab set to workgroup=AAA. This works nicely.

  However, we misconfigured a Win95 box with workgroup=BBB. No symptoms were
  evident until the server was rebooted after a power failure (properly
  handled by an APC UPS). We then got the 'BBB is not a valid computer name'
  which caused the workstation service to fail to start, and that in turn
  prevented a bunch of other stuff from starting. The event log entry pointed
  to the IP address of the PDC as being responsible for trying to add the
  conflicting name BBB.

  We could manually start the affected services, starting with the
  workstation service. At that point, things seemed to be more or less
  normal, but user manager for domains had problems opening the user list.

  These symptoms seemed to be similar to those listed in MS article Q166184,
  but we don't have RAS installed on that machine, and we don't have any
  static WINS entries. However, we did not scroll thru the full list of
  workstations in the WINS database, or we would have seen the Win95
  workstation that had registered the name BBB.

  At this point, we deleted the entire WINS database and rebooted the server.
  Things worked normally until that workstation again registered its name as
  BBB, but this time the event log pointed to the workstation IP so we could
  finally track it down.

  The server is running NT4, SP3.


  -----BEGIN PGP SIGNATURE-----
  Version: 4.5

  iQCVAgUBN1g+hdZjPoeWO7BhAQFtoAQAqEkBc/RfrRuIyddbQRZ+gJxHYnflk0NU
  pAv+vx9vbI/qAVzdPH2anLMyb4Sci042Tix9bsRCHIB3V6f8qqBgaOSpJjzZEn8z
  OmY+sxlgnuC6yO4c2VWXJTh4OGq6HS0wjhPdQKfKHvYe5BvePeJ6+S8gl5BuG5lO
  pV33Ftg1JRU=
  =Dt/i
  -----END PGP SIGNATURE-----

  PGP key available from the key servers.
  Key fingerprint 95 F4 D3 94 66 BA 92 4E  06 1E 95 F8 74 A8 2F A0

  http://www.five-ten-sg.com