Re: WPAD DNS floods

[Doug Pearson <dodpears () INDIANA EDU>]

Gary Flynn wrote:
> Hi,
>
> Anyone seen floods to wpad.university.edu and tracked
> the problem down? We've seen it intermittently in the
> past but not to a significant degree but we just experienced
> substantial performance impact on our DNS servers from one
> student machine. We've got the machine in hand and are
> investigating but I thought I'd ask.
>
> Coincidently, its a Vista machine which reminds me of
> the isatap.university.edu floods reported in the past.

Maybe worth pursuing to see if your wpad problem is related to the
isatap problem. At least one of the isatap problem reporting sites was
also seeing unusually high wpad requests from the problem machines. When
flailing at isatap, problem machines can generate thousands of requests
per second. Sounds like you were seeing that level of queries?

A case is open with MSFT regarding the isatap problem. Four or five
sites provided DNS logs, MSDT dumps, etc., but the problem hasn't been
solved. Part of the difficulty in solving the problem is that we've not
had a site that could replicate the problem in a controlled manner.
Replication difficulty has been both technical and operational (the
reports have always involved student machines).

At least where reported, the problem has involved Vista Home Premium,
and it seems that two machines are involved in some sort of dance. Kill
one of the two dancing machines and the other calms down.

At this point MSFT thinks the basic Vista is fine and is suspicious that
p2p sharing or gaming is kicking off the bad behavior. They'd like to
have a full network capture of all client activity at the start of the
behavior.

If you (or others on this list?) are able to replicate the bad isatap or
wpad behavior in a controlled environment, we'd be very interested to
add to the MSFT case.


Regards,

Doug Pearson
Technical Director, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630