So, my apache server was slow, and I looked in the log files. Turned out they had grown to 12GB of accesses from tons and tons of different hosts trying to access /wpad.dat on one of my Vhosts.
Now, the virtual host in question is the "catch-all" vhost that is invoked when a browser doesn't supply a known hostname.
I am currently getting thousands of requests per minute to "/wpad.dat" and as far as Google can tell me, this is something that has something to do with proxy servers? But I don't use proxy servers, so why am I being literally bombarded by these requests.
I am getting more requests per minute for this non-existant file than I am getting normal requests. So my assumption is that I am under some form of attack. Funny thing is that it generally only occurs at night (here in Sweden) and not during the day.
A sample size of the latest 500 requests (i.e. half a minute) shows that it consists of 200 different hosts, and a small sample of those shows that they are all valid hosts (not TOR proxies) so is this some DNS servers being incorrectly configured? I do run a DNS server on the machine.
Please help! :)
EDIT The host they are accessing is "cluster.atlascms.se" so what they do is access http://cluster.atlascms.se/wpad.dat thousands of times per minute.
Now, cluster.atlascms.se is my DNS failover host. So all my clients point their subdomains to cluster.atlascms.se, which in turn points them to the current IP (master server of failover server).
As it seems - this means I am getting tons and tons of requests to cluster.arlascms.se - could that mean that my DNS is misconfigured?
Machines will look for a WPAD.dat file hierarchically based on their own FQDN, if they are configured for proxy autodiscovery. So, if a windows PC is a member of a domain c.d.e.com, it will look for WPAD.dat in:
Chances are that somewhere, someone has a domain which is a subdomain of one of the ones you are hosting HTTP on, and hasn't properly configured or disabled proxy auto-discovery. In consequence, they are likely searching hierarchically.
It's possible that a virus may have caused them to do this; likely, if the machines making the query are extremely numerous and in diverse subnets, this is what is up.
If possible, avoid defining a DNS record for the wpad subdomain of anything you don't intend to use for proxy auto-discovery.
If this is not an option, you could consider using layer 7 filtering to find queries for wpad.dat and reject the packets with an ICMP message. This might actually be the most effective way to stop the traffic, unless the IPs are all from the same network and their technical contact in whois is responsive.
Things that will point a host at a particular location for wpad.dat include domain settings, the domain name option in DHCP replies, and an explicit setting in the web browser to load proxy information from some URL.
It appears that your DNS zone
eklundh.comhas a wildcard record defined pointing tocluster.atlascms.se.This includeswpad.eklundh.com. I suggest you add a DNS record explicitly definingwpad.eklundh.com. to127.0.0.1or something.The first thing I would do is to try to find out where these requests are going to, i.e. their destination. Apache doesn't log the hostname by default, so you can either use
tcpdumpto get a brief capture and inspect it for theHost:request header, or change your Apache log format to log it. I prefer to log it in the otherwise useless second field, for example:Once you know who these mistaken requests are being addressed to, what to do next may become clear. For instance, it might turn out to be some big company
example.sein which case you can go find their network admins and yell at them.Just FYI,
ModSecuritywill catch this and block it. There is a ruleset provided by Comodo. Here is a log entry. I stripped out account relevant data so it has in it just so as to use it as an example.Had this problem and fixed it by creating a wpad.dat file putting "this page left blank" page in it.
CPU went to nearly zero. Problem seems solved.