Let me just start with this - With over 25 years of network engineering, technical support and problem solving under my hat and having gone around the IT block a number of times in major corporations. I have to say that I finally ran into the worst piece of coding that I have ever witnessed in my entire professional career. What I witnessed was totally shocking and I just want to post this here for other Spiceheads to take note of. I also hope someone from Lenovo sees the post as well.
I had a friend call me recently desperate for help, she manages a small IT staff of 3 people for a Property Insurance Underwriting Company that does a boat load of work. My friend stated that they had a long time consultant on staff that handled most, if not all of their IT work, but sadly he passed away leaving them in a bind. The remaining staff on hand where never properly trained on how to handle the situation that they where in now.
My friend stated that for the past few weeks they where having serious network issues, to the point where they would have no connections to the internet, outside customers couldn't reach their network nor could most of them work within their own network. At first they thought that maybe their ISP was having an issue or perhaps they where under a DDOS attack. Working with their ISP they where informed that their ISP was seeing large spikes of traffic originating from their network followed by large bursts of traffic heading back to them.
My first line of approach question them, get an idea of any changes done - anything change on your network, anything added/removed any major changes to software or processes. All answered as a no, everything has been the same, but suddenly their network is failing them.
Second line get over there and do an assessment myself, check the hardware get a packet tracer on as well and capture everything. Fortunately for me it was a daily occurrence, but unfortunate for them so I didn't have to wait around for it to raise it's ugly head.
Bottom Line - traced it back to a new Lenovo YOGA laptop that they received a few weeks prior. And, yes just around the time that the network would go to trash.
What it was traced back to is a vendor loaded (yes we can all say it BloatWare) application called LenovoEMS Storage Connector - specifically a process that it was running called (get this Discover.exe) and yes it looks like it does what it's named to do but, there is a bug, or a huge flaw in it as I doubt it was designed to be doing what it was doing.
The process on this laptop was generating an inordinate amount of NetBios Name Searches that weren't just local Broadcast but direct target packets. And, it was doing it fast and furiously this process is insatiable and belligerent at its job of discovery and it will grind a network to a crawl.
TLDR; Uninstall it if you don't need it - I would assume it's job is to discover LenovoEMC Storage Units (formerly ioMega I believe) on what is supposed to be your own network.
If you are still here then lets take a look at some screen captures along with my comments. I kept the screen captures small because there are quite a few of them and I wanted to get my point across to you all.
Please keep the following in mind when you are looking at the screen captures.
Note the Frame Numbers, Note the Time, and pay particular attention to what is going on with the targeted Destination IP addresses. These addresses are not local to my client these are external public IP addresses (masked out a bit but you will get the idea).
First Screen Shot - Basically if you do a network trace (wireshark.org) at the time that your network is grinding to a halt you will see this. ----- Seriously NB Name Queries? I thought WINS et.al died off a long time ago. And what is with that Query of <00><00><00><00><00>........????
Keep paying attention to the Time stamp and look at the destination, see what it's doing? See how fast it's dumping these packets on the network?
Look where we are now relative to time and what the destination is - This is the beginning of a self generated DDOS attack not my clients doing but graciously provided by a vendors piece of bloatware that most people have no idea what it's for, why its running and if it's needed.
Look what happens when it reaches an end of a subnet - you guessed it.
And remember what I stated as being targeted directly, well I guess that one might get replies. Especially if Netbios Packets are allowed out of ones own network (I have more work to do here for my friend) but worse if the receiving side lets them in. One thing to note here, the process seemed to stop it's Netbios Name Search Queries once it got a reply in order for it to spam an ARP request.
I'll have to reply to my own thread here as it looks like I can only insert so many pictures.