Windows Explorer DOS Attacks On IBM i 7.3

If you have noticed that Windows Explorer seems to be running especially slow when mapped to your IBM i server, you are not alone. Over the past month, there have been several reports of what appear to be limited denial of service (DOS) attacks against servers running IBM i 7.3. This issue stems from a change in protocols for mapped drives that IBM made with the new operating system, but it appears that Microsoft is on the hook for the fix.

IBM issued a Technote about a month ago to describe the problem and to offer various workarounds. The problem exists in the connection between the Windows Explorer utility in Windows 7 and Windows 10, and the NetServer program in IBM i version 7.3 that lets clients access the IFS file shares via a network drive.

In its Technote, IBM says: “Microsoft Windows Explorer performs an endless, rapid, refresh of a drive mapped to a NetServer share. This prevents the user from paging through the file list and performing tasks such as rename object, etc.”

The result of the rapid refreshes is wasting of IBM i resources, which is the definition of a DOS attack. However, it doesn’t appear that the problem is impacting any other aspects of IBM i performance.

“So far the DOS attack only causes issues with the Windows file explorer sessions,” Rob Berendt, an IBM i administrator for a company in Indiana who has been tracking the problem, wrote on the MIDRANGE-L discussion board. “We’ve not noticed other performance implications.”

You can tell if your copy of Windows Explorer is impacted “if the arrows on folders are flashing on/off when in Windows Explorer with the mouse cursor in the navigation pane,” IBM says in its Technote.

The problem is related to a change in the Server Message Block (SMB) protocol that IBM made with the new OS. In previous releases, IBM used SMB1 to connect network drives to Windows clients and provide access to printers, serial ports, etc. With IBM i 7.3, IBM switched to the newer SMB2 protocol for security reasons.

IBM says there’s nothing wrong with its implementation of SMB2 in its NetServer software. “NetServer is protocol compliant and changes need to be made on the client to avoid wasting resources,” IBM says in its Technote. “Microsoft Windows Explorer is ignoring a STATUS_NOT_SUPPORTED response that is returned to it from the IBM i server on a Change Notify request.”

It doesn’t appear that this problem is a priority for Microsoft. In an email to IT Jungle, Berendt says the author of IBM’s Technote talked directly to the developers of the SMB2 code at Microsoft. “They admitted they’re not up to spec,” Berendt says. “They have no plans at this time to change.”

IBM is encouraging other IBM i 7.3 users to come forward if they’re experiencing the problem. IBM is also encouraging IBM i 7.3 users to request that Microsoft fix the problem.

IT Jungle contacted Microsoft about the apparent problems with the SMB2 implementation and the “change notify” requests. While there was no official response, it appears the two sides may be working together to find a solution.

In the meantime, IBM offers several workarounds, including:

• Using IBM System i Navigator instead of Windows Explorer
• Using a SAMBA client to connect to NetServer shares
• Modifying the Windows registry to disable “change notify”
• Using FTP instead of Explorer
• Using an NFS mount
• And disabling SMB2 on IBM i

For more information, see IBM’s Technote at http://www-01.ibm.com/support/docview.wss?uid=nas8N1021348.