Re: WPAD DNS floods

[Gary Flynn <flynngn () JMU EDU>]

Dan Peterson wrote:
> Not sure if this will help or not:
> http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci12847
> 64,00.html

I saw that. Reading only the MS KB article, it seems that a U.S.
university.edu domain would not be vulnerable. However, another MS
article I saw indicates that if a computer is set up with the netbios
name "wpad" ( or isatap for that matter ) it may register itself in
a dynamic dns architecture. That does not seem to be the case
causing the problem here but we're still checking.

"Unfortunately, you cannot secure this automatic discovery process.
 Any computer that is registered in a DNS zone with the name wpad
 can provide a WPAD configuration to clients on the network, even
 if the file contains settings that cause the clients to use a fake
 proxy server, for example, to divert the client's Web browser to
 counterfeit Web sites. The dynamic update feature of DNS makes it
 possible for a malicious user to accomplish this without requiring
 the intervention of a DNS system administrator simply by giving a
 computer the name wpad and then connecting it to the network. As
 long as there is no other computer in the zone with the same name,
 the computer of the malicious user can register its name with the
 DNS server that is authoritative for its zone and thereby direct
 all WPAD queries to itself."

MS document:
( Google cached HTML Word doc from download.microsoft.com )
http://209.85.165.104/search?q=cache:MfWrw4hmVe8J:download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%2520Query_Block%2520List.doc+wpad+queries+dns+server&hl=en&ct=clnk&cd=1&gl=us



> " Tim Rains of the Microsoft Security Response Center communications team
> said in an email late Monday that the software giant is investigating new
> public reports of a vulnerability in how Windows resolves hostnames that do
> not include a fully-qualified domain name (FQDN). He said the specific
> technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program."
>
> " Microsoft Security Advisory 945713 suggests users mitigate the threat by
> creating a WPAD.DAT proxy auto configuration file on a host-named WPAD to
> direct Web browsers to the organization's proxy; disabling the automatic
> detection settings in Internet Explorer; disabling DNS devolution; and
> configuring a domain suffix search list."
>
> This is the link referred to above:
> http://www.microsoft.com/technet/security/advisory/945713.mspx
>
>
> Hope this helps,
> --
> Dan
>
>
> > -----Original Message-----
> > From: Gary Flynn [mailto:flynngn () JMU EDU]
> > Sent: Wednesday, January 16, 2008 10:26 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] WPAD DNS floods
> >
> > Jeff Kell wrote:
> > > Gary Flynn wrote:
> > > > Anyone seen floods to wpad.university.edu and tracked
> > > > the problem down? We've seen it intermittently in the
> > > > past but not to a significant degree but we just experienced
> > > > substantial performance impact on our DNS servers from one
> > > > student machine. We've got the machine in hand and are
> > > > investigating but I thought I'd ask.
> > > Yes, that's Windows Proxy Automatic Detection.  If you have a captive
> > > portal type of application, it will likewise be flooded with requests
> > to
> > > GET wpad.dat.
> > >
> > > Vista must die :-)
> >
> > But why would a client repeatedly try hundreds of times per second
> > for half an hour or more to resolve wpad.jmu.edu if it didn't get
> > an answer the first time?
> >
> > Unfortunately, we haven't been able to reproduce the problem yet
> > since we've obtained the culprit computer.
> >
> > We do not run any web proxies except in the library and do not,
> > to my knowledge, have any WPAD implementations though I'm
> > thinking strongly about dummying some up along with some
> > ISATAP ones.
> >
> >
> >
> >
> >
> > --
> > Gary Flynn
> > Security Engineer
> > James Madison University
> > www.jmu.edu/computing/security


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature