Vista machine attack on DNS system

A number of times we have seen windows vista hosts on our Network "Attack" our DNS service.

Most of these events seem to involve a pair of machines sending large numbers of data packets on dest port 53 > 4,000 per second to both the primary and secondary DNS servers. Note the port is limited to

10mbps... I have wondered what would have happened if it was 100/1000!!

Investigations and packet captures have revealed:

- The machines are always vista machines

- The DNS requests are attached to a single process. This appears to be "sharedAccess"

- There appear to be two separate states. Hosts which have been involved seem to send abnormal numbers of DNS requests under "normal" operation (state 1), roughly 10pps. Then, somehow an interatction with another machine (I guess) causes the bombardment .

- The Vista machines seem to be "clean" of virus infection

- Whilst looking at said machines, I have been unable to replicate an "attack event"

Has anyone seen similar and is it reparable in a service pack for vista ?

Reply to
Loading thread data ...

You might want to post to to the security NG(s).

Reply to
Mr. Arnold

Read this:

formatting link

This is strange. Maybe attacker don't want to flood any machine or himself (large amount of DNS replies), just perform DNS spoofing "unnoticed", Vista need strong hardware. Maybe he is aiming Vista machines.

What am I guessing? Attacker spoof DNS requests (choosing Vista machines to receive replies) in a same time he is spoofing replies to your DNS servers, thus poisoning your DNS records, and Vista DNS cache as well.

Maybe it is bug like this one

formatting link
Are those DNS requests random or specific DNS name?

Well, best would be to contact MS support.

Reply to
alf Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.