A number of times we have seen windows vista hosts on our Network "Attack" our DNS service.
Most of these events seem to involve a pair of machines sending large numbers of data packets on dest port 53 > 4,000 per second to both the primary and secondary DNS servers. Note the port is limited to10mbps... I have wondered what would have happened if it was 100/1000!!
Investigations and packet captures have revealed:
- The machines are always vista machines
- The DNS requests are attached to a single process. This appears to be "sharedAccess"
- There appear to be two separate states. Hosts which have been involved seem to send abnormal numbers of DNS requests under "normal" operation (state 1), roughly 10pps. Then, somehow an interatction with another machine (I guess) causes the bombardment .
- The Vista machines seem to be "clean" of virus infection
- Whilst looking at said machines, I have been unable to replicate an "attack event"
Has anyone seen similar and is it reparable in a service pack for vista ?