Educause Security Discussion mailing list archives
Re: WPAD DNS floods
From: Dan Peterson <drpeterson () ES NET>
Date: Wed, 16 Jan 2008 10:39:33 -0800
Not sure if this will help or not: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci12847 64,00.html " Tim Rains of the Microsoft Security Response Center communications team said in an email late Monday that the software giant is investigating new public reports of a vulnerability in how Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). He said the specific technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program." " Microsoft Security Advisory 945713 suggests users mitigate the threat by creating a WPAD.DAT proxy auto configuration file on a host-named WPAD to direct Web browsers to the organization's proxy; disabling the automatic detection settings in Internet Explorer; disabling DNS devolution; and configuring a domain suffix search list." This is the link referred to above: http://www.microsoft.com/technet/security/advisory/945713.mspx Hope this helps, -- Dan
-----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, January 16, 2008 10:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] WPAD DNS floods Jeff Kell wrote:Gary Flynn wrote:Anyone seen floods to wpad.university.edu and tracked the problem down? We've seen it intermittently in the past but not to a significant degree but we just experienced substantial performance impact on our DNS servers from one student machine. We've got the machine in hand and are investigating but I thought I'd ask.Yes, that's Windows Proxy Automatic Detection. If you have a captive portal type of application, it will likewise be flooded with requeststoGET wpad.dat. Vista must die :-)But why would a client repeatedly try hundreds of times per second for half an hour or more to resolve wpad.jmu.edu if it didn't get an answer the first time? Unfortunately, we haven't been able to reproduce the problem yet since we've obtained the culprit computer. We do not run any web proxies except in the library and do not, to my knowledge, have any WPAD implementations though I'm thinking strongly about dummying some up along with some ISATAP ones. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
_bin
Description:
Current thread:
- WPAD DNS floods Gary Flynn (Jan 16)
- <Possible follow-ups>
- Re: WPAD DNS floods Jeff Kell (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Dan Peterson (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Doug Pearson (Jan 16)