Educause Security Discussion mailing list archives
Re: WPAD DNS floods
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 16 Jan 2008 13:59:21 -0500
Dan Peterson wrote:
Not sure if this will help or not: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci12847 64,00.html
I saw that. Reading only the MS KB article, it seems that a U.S. university.edu domain would not be vulnerable. However, another MS article I saw indicates that if a computer is set up with the netbios name "wpad" ( or isatap for that matter ) it may register itself in a dynamic dns architecture. That does not seem to be the case causing the problem here but we're still checking. "Unfortunately, you cannot secure this automatic discovery process. Any computer that is registered in a DNS zone with the name wpad can provide a WPAD configuration to clients on the network, even if the file contains settings that cause the clients to use a fake proxy server, for example, to divert the client's Web browser to counterfeit Web sites. The dynamic update feature of DNS makes it possible for a malicious user to accomplish this without requiring the intervention of a DNS system administrator simply by giving a computer the name wpad and then connecting it to the network. As long as there is no other computer in the zone with the same name, the computer of the malicious user can register its name with the DNS server that is authoritative for its zone and thereby direct all WPAD queries to itself." MS document: ( Google cached HTML Word doc from download.microsoft.com ) http://209.85.165.104/search?q=cache:MfWrw4hmVe8J:download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%2520Query_Block%2520List.doc+wpad+queries+dns+server&hl=en&ct=clnk&cd=1&gl=us
" Tim Rains of the Microsoft Security Response Center communications team said in an email late Monday that the software giant is investigating new public reports of a vulnerability in how Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). He said the specific technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program." " Microsoft Security Advisory 945713 suggests users mitigate the threat by creating a WPAD.DAT proxy auto configuration file on a host-named WPAD to direct Web browsers to the organization's proxy; disabling the automatic detection settings in Internet Explorer; disabling DNS devolution; and configuring a domain suffix search list." This is the link referred to above: http://www.microsoft.com/technet/security/advisory/945713.mspx Hope this helps, -- Dan-----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, January 16, 2008 10:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] WPAD DNS floods Jeff Kell wrote:Gary Flynn wrote:Anyone seen floods to wpad.university.edu and tracked the problem down? We've seen it intermittently in the past but not to a significant degree but we just experienced substantial performance impact on our DNS servers from one student machine. We've got the machine in hand and are investigating but I thought I'd ask.Yes, that's Windows Proxy Automatic Detection. If you have a captive portal type of application, it will likewise be flooded with requeststoGET wpad.dat. Vista must die :-)But why would a client repeatedly try hundreds of times per second for half an hour or more to resolve wpad.jmu.edu if it didn't get an answer the first time? Unfortunately, we haven't been able to reproduce the problem yet since we've obtained the culprit computer. We do not run any web proxies except in the library and do not, to my knowledge, have any WPAD implementations though I'm thinking strongly about dummying some up along with some ISATAP ones. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
-- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- WPAD DNS floods Gary Flynn (Jan 16)
- <Possible follow-ups>
- Re: WPAD DNS floods Jeff Kell (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Dan Peterson (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Doug Pearson (Jan 16)