Educause Security Discussion mailing list archives
Re: WPAD DNS floods
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 16 Jan 2008 15:54:51 -0500
Brad Judy wrote:
The MAT sent a request to this list a few weeks ago asking for feedback from schools on the WPAD topic because we were asked by MS to investigate the impact in higher ed. We only received three replies and passed the information along to MS.
I seem to recall a recent request for information about ISATAP traffic issues but I don't remember seeing one for WPAD but I may simply have skimmed over the request without it registering.
This is the first I've heard of a single machine producing that many WPAD requests, which makes me suspect that it somehow got caught in a loop. MS might be interested in more details in this instance. If they are, would you like us to put them in contact with you? In general, campuses may see a lot of WPAD.school.edu requests from their networks and if you don't have some mechanism of host name approval that would prevent someone from registering that name, you should consider adding some sort of block to using that hostname.
We're doing that. We couldn't reproduce the symptoms once we got the laptop. While we were troubleshooting by phone, we found the requests were being generated by one of the svchost processes. When we brought the laptop into the office, we saw the Internet Connection Sharing svchost subprocess issuing WPAD DNS requests, though not excessively. We also saw the ICS process issuing duplicate DNS requests for names typed into applications. The student said she had been "messing with a lot of settings" over the holiday break at home trying to get a wireless router to work which may have resulting in ICS being enabled. I believe it is disabled by default. We can't find anything that would explain ICS issuing all those DNS requests. We're going to disable ICS, give it back to the student, and see what happens. We noticed another student computer issuing a large number of WPAD DNS requests and we're trying to contact them to see if they have ICS enabled and if they're using Vista.
Brad Judy REN-ISAC MAT IT Security Office University of Colorado at Boulder-----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, January 16, 2008 11:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] WPAD DNS floods Hi, Anyone seen floods to wpad.university.edu and tracked the problem down? We've seen it intermittently in the past but not to a significant degree but we just experienced substantial performance impact on our DNS servers from one student machine. We've got the machine in hand and are investigating but I thought I'd ask. Coincidently, its a Vista machine which reminds me of the isatap.university.edu floods reported in the past. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
-- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- WPAD DNS floods Gary Flynn (Jan 16)
- <Possible follow-ups>
- Re: WPAD DNS floods Jeff Kell (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Valdis Kletnieks (Jan 16)
- Re: WPAD DNS floods Dan Peterson (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Brad Judy (Jan 16)
- Re: WPAD DNS floods Gary Flynn (Jan 16)
- Re: WPAD DNS floods Doug Pearson (Jan 16)