Re: WPAD DNS floods

[Brad Judy <Brad.Judy () COLORADO EDU>]

The MAT sent a request to this list a few weeks ago asking for feedback
from schools on the WPAD topic because we were asked by MS to
investigate the impact in higher ed.  We only received three replies and
passed the information along to MS.  

This is the first I've heard of a single machine producing that many
WPAD requests, which makes me suspect that it somehow got caught in a
loop.  MS might be interested in more details in this instance.  If they
are, would you like us to put them in contact with you?

In general, campuses may see a lot of WPAD.school.edu requests from
their networks and if you don't have some mechanism of host name
approval that would prevent someone from registering that name, you
should consider adding some sort of block to using that hostname.  

Brad Judy

REN-ISAC MAT

IT Security Office
University of Colorado at Boulder
 

> -----Original Message-----
> From: Gary Flynn [mailto:flynngn () JMU EDU] 
> Sent: Wednesday, January 16, 2008 11:15 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] WPAD DNS floods
>
>
> Hi,
>
> Anyone seen floods to wpad.university.edu and tracked the 
> problem down? We've seen it intermittently in the past but 
> not to a significant degree but we just experienced 
> substantial performance impact on our DNS servers from one 
> student machine. We've got the machine in hand and are 
> investigating but I thought I'd ask.
>
> Coincidently, its a Vista machine which reminds me of the 
> isatap.university.edu floods reported in the past.
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security