Re: WPAD DNS floods

[Brad Judy <Brad.Judy () COLORADO EDU>]

The WPAD vulnerabilities are related to where a system looks for a WPAD
record, particularly if and how far it traverses a DNS hierarchy looking
for one.  

The notable example involved the owner of the domain wpad.co.uk who
received tons of WPAD requests from clients that were in company.co.uk,
had looked for wpad.company.co.uk and failing to find something, had
checked at wpad.co.uk.  This is because the original implementation
neglected to take two-part TLD's into account.  I knew not to look for
wpad.TLD, but assumed the TLD was uk and not co.uk.  

There have been multiple WPAD fixes and it isn't entirely clear to me
what behavior was changed in each fix.

Brad Judy 

> -----Original Message-----
> From: Dan Peterson [mailto:drpeterson () es net] 
> Sent: Wednesday, January 16, 2008 11:40 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] WPAD DNS floods
>
> Not sure if this will help or not:
> http://searchsecurity.techtarget.com/originalContent/0,289142,
> sid14_gci12847
> 64,00.html
>
> " Tim Rains of the Microsoft Security Response Center 
> communications team said in an email late Monday that the 
> software giant is investigating new public reports of a 
> vulnerability in how Windows resolves hostnames that do not 
> include a fully-qualified domain name (FQDN). He said the 
> specific technology affected is Windows' Web Proxy 
> Auto-Discovery (WPAD) program."
>
> " Microsoft Security Advisory 945713 suggests users mitigate 
> the threat by creating a WPAD.DAT proxy auto configuration 
> file on a host-named WPAD to direct Web browsers to the 
> organization's proxy; disabling the automatic detection 
> settings in Internet Explorer; disabling DNS devolution; and 
> configuring a domain suffix search list."
>
> This is the link referred to above:
> http://www.microsoft.com/technet/security/advisory/945713.mspx
>
>
> Hope this helps,
> --
> Dan
>
>
> > -----Original Message-----
> > From: Gary Flynn [mailto:flynngn () JMU EDU]
> > Sent: Wednesday, January 16, 2008 10:26 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] WPAD DNS floods
> >
> > Jeff Kell wrote:
> > > Gary Flynn wrote:
> > > > Anyone seen floods to wpad.university.edu and tracked 
> the problem 
> > > > down? We've seen it intermittently in the past but not to a 
> > > > significant degree but we just experienced substantial 
> performance 
> > > > impact on our DNS servers from one student machine. 
> We've got the 
> > > > machine in hand and are investigating but I thought I'd ask.
> > >
> > > Yes, that's Windows Proxy Automatic Detection.  If you have a 
> > > captive portal type of application, it will likewise be 
> flooded with 
> > > requests
> > to
> > > GET wpad.dat.
> > >
> > > Vista must die :-)
> >
> >
> > But why would a client repeatedly try hundreds of times per 
> second for 
> > half an hour or more to resolve wpad.jmu.edu if it didn't get an 
> > answer the first time?
> >
> > Unfortunately, we haven't been able to reproduce the 
> problem yet since 
> > we've obtained the culprit computer.
> >
> > We do not run any web proxies except in the library and do 
> not, to my 
> > knowledge, have any WPAD implementations though I'm 
> thinking strongly 
> > about dummying some up along with some ISATAP ones.
> >
> >
> >
> >
> >
> > --
> > Gary Flynn
> > Security Engineer
> > James Madison University
> > www.jmu.edu/computing/security