Educause Security Discussion mailing list archives

Re: WPAD DNS floods

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 16 Jan 2008 13:39:15 -0500

On Wed, 16 Jan 2008 13:25:48 EST, Gary Flynn said:

But why would a client repeatedly try hundreds of times per second
for half an hour or more to resolve wpad.jmu.edu if it didn't get
an answer the first time?


Because it's a good little client, and believes really hard in the existence
of wpad, and thinks if it imagines it hard enough, it Really Will Happen. ;)

In other words, it's buggy software.  I remember some 'set your PC clock'
program about 10 years ago that listed one of our NTP servers as a clock source.
When we tried to turn it off, we'd send a ICMP Port Unreachable - which would
cause an *immediate* retry on their end, resulting in a stream of 50 to 300
packets a second, depending on the RTT from here to the offender.  We finally
opted to just blackhole the packets - that only caused 4-5 retransmits per
second per offender.

Attachment: _bin
Description:

Current thread:

WPAD DNS floods Gary Flynn (Jan 16)
- <Possible follow-ups>
- Re: WPAD DNS floods Jeff Kell (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Dan Peterson (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Doug Pearson (Jan 16)