Re: WPAD DNS floods

[Gary Flynn <flynngn () JMU EDU>]

Brad Judy wrote:
> The MAT sent a request to this list a few weeks ago asking for feedback
> from schools on the WPAD topic because we were asked by MS to
> investigate the impact in higher ed.  We only received three replies and
> passed the information along to MS.

I seem to recall a recent request for information about ISATAP
traffic issues but I don't remember seeing one for WPAD but I
may simply have skimmed over the request without it registering.

> This is the first I've heard of a single machine producing that many
> WPAD requests, which makes me suspect that it somehow got caught in a
> loop.  MS might be interested in more details in this instance.  If they
> are, would you like us to put them in contact with you?
>
> In general, campuses may see a lot of WPAD.school.edu requests from
> their networks and if you don't have some mechanism of host name
> approval that would prevent someone from registering that name, you
> should consider adding some sort of block to using that hostname.

We're doing that.

We couldn't reproduce the symptoms once we got the laptop. While
we were troubleshooting by phone, we found the requests were being
generated by one of the svchost processes. When we brought the
laptop into the office, we saw the Internet Connection Sharing
svchost subprocess issuing WPAD DNS requests, though not excessively.
We also saw the ICS process issuing duplicate DNS requests for
names typed into applications.

The student said she had been "messing with a lot of settings"
over the holiday break at home trying to get a wireless router
to work which may have resulting in ICS being enabled. I believe
it is disabled by default.

We can't find anything that would explain ICS issuing all those
DNS requests. We're going to disable ICS, give it back to the
student, and see what happens. We noticed another student computer
issuing a large number of WPAD DNS requests and we're trying to
contact them to see if they have ICS enabled and if they're using
Vista.


> Brad Judy
>
> REN-ISAC MAT
>
> IT Security Office
> University of Colorado at Boulder
>
>
> > -----Original Message-----
> > From: Gary Flynn [mailto:flynngn () JMU EDU]
> > Sent: Wednesday, January 16, 2008 11:15 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] WPAD DNS floods
> >
> >
> > Hi,
> >
> > Anyone seen floods to wpad.university.edu and tracked the
> > problem down? We've seen it intermittently in the past but
> > not to a significant degree but we just experienced
> > substantial performance impact on our DNS servers from one
> > student machine. We've got the machine in hand and are
> > investigating but I thought I'd ask.
> >
> > Coincidently, its a Vista machine which reminds me of the
> > isatap.university.edu floods reported in the past.
> >
> > --
> > Gary Flynn
> > Security Engineer
> > James Madison University
> > www.jmu.edu/computing/security


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature