Re: WPAD DNS floods

[Gary Flynn <flynngn () JMU EDU>]

Jeff Kell wrote:
> Gary Flynn wrote:
> > Anyone seen floods to wpad.university.edu and tracked
> > the problem down? We've seen it intermittently in the
> > past but not to a significant degree but we just experienced
> > substantial performance impact on our DNS servers from one
> > student machine. We've got the machine in hand and are
> > investigating but I thought I'd ask.
>
> Yes, that's Windows Proxy Automatic Detection.  If you have a captive
> portal type of application, it will likewise be flooded with requests to
> GET wpad.dat.
>
> Vista must die :-)


But why would a client repeatedly try hundreds of times per second
for half an hour or more to resolve wpad.jmu.edu if it didn't get
an answer the first time?

Unfortunately, we haven't been able to reproduce the problem yet
since we've obtained the culprit computer.

We do not run any web proxies except in the library and do not,
to my knowledge, have any WPAD implementations though I'm
thinking strongly about dummying some up along with some
ISATAP ones.





--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature