[Samba] WINS unicast name restration storm

[Filer, Darrin J.]

We recently migrated to an active directory controlled domain with the old linux pdc becoming just a member of the new domain. It previously had served as the WINS server.

The WINS server settings update was missed on a few printers and these printers continued sending unicast name registration requests to the linux server. With over 300 requests per second being sent from these printers, it came close to a denial of service attack. Also, every one of these requests was logged in /var/log/messages as follows:
"Aug 11 23:40:01 alpha2 nmbd[8840]:   process_name_registration_request: unicast name registration request received for name HRB<00> from IP 10.7.3.24 on subnet UNICAST_SUBNET. Error - should be sent to WINS server"

In just one night, this totaled up to over 80 gigs of logging. When it came time to rotate the logs, things really went wrong. The server went from being almost unusably sluggish to completely unresponsive for minutes on end.

Hopefully this post helps others experiencing the same systems. Because some of the printers ended their WINS request storm after just a few minutes, the problem wasn't immediately noticeable until scrolling back through the logs. What we thought was winbindd hanging while requesting data from AD, was likely actually caused by the request storm.

It looks like winbindd has been re-architected to prevent blocking like this, but I haven't installed the latest version in order to test that theory.

Would turning off WINS request logging alleviate the problem? Is such a thing even possible?



DARRIN FILER
IT Manager

Cook Vascular Incorporated
1186 Montgomery Lane
Vandergrift, PA 15690
724-845-8621 x2222
724-845-2848 (fax)
www.cookmedical.com<http://www.cookmedical.com/>