Educause Security Discussion mailing list archives
Re: WPAD DNS floods
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Wed, 16 Jan 2008 20:57:44 -0500
Gary Flynn wrote:
Hi, Anyone seen floods to wpad.university.edu and tracked the problem down? We've seen it intermittently in the past but not to a significant degree but we just experienced substantial performance impact on our DNS servers from one student machine. We've got the machine in hand and are investigating but I thought I'd ask. Coincidently, its a Vista machine which reminds me of the isatap.university.edu floods reported in the past.
Maybe worth pursuing to see if your wpad problem is related to the isatap problem. At least one of the isatap problem reporting sites was also seeing unusually high wpad requests from the problem machines. When flailing at isatap, problem machines can generate thousands of requests per second. Sounds like you were seeing that level of queries? A case is open with MSFT regarding the isatap problem. Four or five sites provided DNS logs, MSDT dumps, etc., but the problem hasn't been solved. Part of the difficulty in solving the problem is that we've not had a site that could replicate the problem in a controlled manner. Replication difficulty has been both technical and operational (the reports have always involved student machines). At least where reported, the problem has involved Vista Home Premium, and it seems that two machines are involved in some sort of dance. Kill one of the two dancing machines and the other calms down. At this point MSFT thinks the basic Vista is fine and is suspicious that p2p sharing or gaming is kicking off the bad behavior. They'd like to have a full network capture of all client activity at the start of the behavior. If you (or others on this list?) are able to replicate the bad isatap or wpad behavior in a controlled environment, we'd be very interested to add to the MSFT case. Regards, Doug Pearson Technical Director, REN-ISAC http://www.ren-isac.net 24x7 Watch Desk +1(317)278-6630
Current thread:
- Re: WPAD DNS floods, (continued)
- Re: WPAD DNS floods Jeff Kell (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Dan Peterson (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Doug Pearson (Jan 16)