[Samba] xp client spoolers cause packet storm

[John Drescher]

On 1/9/07, Lou Goddard <goddarlh at hbcs.org> wrote:
> Greetings,
>
> I have recently come into contact with several Windows XP SP2 machines
> that are generating between 10,000 and 20,000 pps each.  They are
> sending multiple requests for RpcSeekPrinter ( dcerpc opnum 53 ).  Also
> worth noting is the structure of the packet, it is padded with zeros and
> consumes much bandwidth during the flood.  Since the clients are
> spending most of their time flooding the samba spooler, they report
> extremely slow file sharing and laggy application performance.
>
> This seems to be related to the Microsoft KB 329234 or possibly 811896.
>
> I have read similar posts about this topic.  They usually have to do
> with slow printing.  In our environment, we were alerted due to the
> abnormally high network congestion and client cpu utilization caused by
> this.  The hotfix provided by Microsoft in 329234 is not appropriate for
> our version of Windows.  Our spooler DLLS are much newer than the patch.
>
I have not looked up the KB articles but have you checked the
following registry keys on the xp boxes HKEY_CURRENT_USER\Printers. In
this key if there are subkeys that contain the names or ipaddresses of
printers XP will try to contact every printer listed in these keys
even if they do not exist and you are not trying to print to any of
them as a result thousands of packets are spammed to the network. We
had this problem and the solution was to delete the offending keys on
all XP sp2 boxes.

John