Educause Security Discussion mailing list archives
Re: WPAD DNS floods
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 16 Jan 2008 13:39:15 -0500
On Wed, 16 Jan 2008 13:25:48 EST, Gary Flynn said:
But why would a client repeatedly try hundreds of times per second for half an hour or more to resolve wpad.jmu.edu if it didn't get an answer the first time?
Because it's a good little client, and believes really hard in the existence of wpad, and thinks if it imagines it hard enough, it Really Will Happen. ;) In other words, it's buggy software. I remember some 'set your PC clock' program about 10 years ago that listed one of our NTP servers as a clock source. When we tried to turn it off, we'd send a ICMP Port Unreachable - which would cause an *immediate* retry on their end, resulting in a stream of 50 to 300 packets a second, depending on the RTT from here to the offender. We finally opted to just blackhole the packets - that only caused 4-5 retransmits per second per offender.
Attachment:
_bin
Description:
Current thread:
- WPAD DNS floods Gary Flynn (Jan 16)
- <Possible follow-ups>
- Re: WPAD DNS floods Jeff Kell (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Dan Peterson (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Doug Pearson (Jan 16)