A number of times we have seen windows vista hosts on our Residential
Network (ie machines in student rooms) "Attack" our DNS service.

Most of these events seem to involve a pair of machines sending large
numbers of data packets on dest port 53 4,000 per second to both
the primary and secondary DNS servers. Note the port is limited to
10mbps... I have wondered what would have happened if it was 100/1000!!



Investigations and packet captures have revealed:



- The machines are always vista machines

- The DNS requests are attached to a single process. This
appears to be "sharedAccess"

- There appear to be two separate states. Hosts which have
been involved seem to send abnormal numbers of DNS requests under
"normal" operation (state 1), roughly 10pps. Then, somehow an
interatction with another machine (I guess) causes the bombardment .

- The Vista machines seem to be "clean" of virus infection

- Whilst looking at said machines, I have been unable to
replicate an "attack event"

Has anyone seen similar and is it reparable in a service pack for
vista ?