Educause Security Discussion mailing list archives
Re: WPAD DNS floods
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Wed, 16 Jan 2008 13:52:34 -0700
The WPAD vulnerabilities are related to where a system looks for a WPAD record, particularly if and how far it traverses a DNS hierarchy looking for one. The notable example involved the owner of the domain wpad.co.uk who received tons of WPAD requests from clients that were in company.co.uk, had looked for wpad.company.co.uk and failing to find something, had checked at wpad.co.uk. This is because the original implementation neglected to take two-part TLD's into account. I knew not to look for wpad.TLD, but assumed the TLD was uk and not co.uk. There have been multiple WPAD fixes and it isn't entirely clear to me what behavior was changed in each fix. Brad Judy
-----Original Message----- From: Dan Peterson [mailto:drpeterson () es net] Sent: Wednesday, January 16, 2008 11:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] WPAD DNS floods Not sure if this will help or not: http://searchsecurity.techtarget.com/originalContent/0,289142, sid14_gci12847 64,00.html " Tim Rains of the Microsoft Security Response Center communications team said in an email late Monday that the software giant is investigating new public reports of a vulnerability in how Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). He said the specific technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program." " Microsoft Security Advisory 945713 suggests users mitigate the threat by creating a WPAD.DAT proxy auto configuration file on a host-named WPAD to direct Web browsers to the organization's proxy; disabling the automatic detection settings in Internet Explorer; disabling DNS devolution; and configuring a domain suffix search list." This is the link referred to above: http://www.microsoft.com/technet/security/advisory/945713.mspx Hope this helps, -- Dan-----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, January 16, 2008 10:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] WPAD DNS floods Jeff Kell wrote:Gary Flynn wrote:Anyone seen floods to wpad.university.edu and trackedthe problemdown? We've seen it intermittently in the past but not to a significant degree but we just experienced substantialperformanceimpact on our DNS servers from one student machine.We've got themachine in hand and are investigating but I thought I'd ask.Yes, that's Windows Proxy Automatic Detection. If you have a captive portal type of application, it will likewise beflooded withrequeststoGET wpad.dat. Vista must die :-)But why would a client repeatedly try hundreds of times persecond forhalf an hour or more to resolve wpad.jmu.edu if it didn't get an answer the first time? Unfortunately, we haven't been able to reproduce theproblem yet sincewe've obtained the culprit computer. We do not run any web proxies except in the library and donot, to myknowledge, have any WPAD implementations though I'mthinking stronglyabout dummying some up along with some ISATAP ones. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- WPAD DNS floods Gary Flynn (Jan 16)
- <Possible follow-ups>
- Re: WPAD DNS floods Jeff Kell (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Dan Peterson (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Doug Pearson (Jan 16)