Wpad.dat requests from router flooding my IIS Logs

ccarlinx · February 26, 2013, 12:31am

My server recently ran out of space. It turned out I had 100+MB logs per day on my very very lightly used webserver that I run. When I opened the log file there were hundreds of thousands of requests for wpad.dat from the routers IP address.

Here is a sample request (192.168.1.1 is the router, 192 is the webserver).

2013-02-25 23:41:03 W3SVC585206455 192.168.1.192 GET /wpad.dat - 80 - 192.168.1.1 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2

My first question is this really coming from the router or is it passing the request thru from somewhere else? If it is coming from the router how the heck do I turn it off.

Forgot to mention this is a My Net 900 router with firmware version 1.06.181.06.18.

Ichigo · March 4, 2013, 10:13pm

This issue seems to be related with a web server software called, internet information services 7, developed by Microsoft. Try to deactivate the logs for this web server to fix the problem.

ccarlinx · March 5, 2013, 2:05am

So you are claiming that the logging of the ridiculous number of requests originating from the router is a problem with IIS and you solution is for me to turn off logging in IIS. That is not an acceptable answer, not by a long shot.

WDJay · March 5, 2013, 8:16pm

I’m not an IIS expert, but according to Microsoft, the first IP address is the client IP, with the second being the server. Seeing that wpad.dat is a web proxy autoconfiguration file, I’d guess that the apache server is repeatedly searching for a proxy configuration on the router, causing the log entry. Possibly there’s a Windows and/or IIS option to disble proxy autoconfiguration?

References are:

https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/c93b2856-76c4-4348-9d46-8a60612c3b23.mspx?mfr=true

and

https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

ccarlinx · March 5, 2013, 11:35pm

Not always the case the ordering of the log. As I stated the request are coming from the router (hence my posting in this forum). Here is the field break down including the header line.

date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status

3/5/2013 0:02:09 W3SVC585206455 192.168.1.192 GET /wpad.dat - 80 - 192.168.1.1 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2

The 192 address is the server (the one logging the request).

The 1 address is the client making the request which is the router.

So does anyone out there know why the router is making constant requests to my web servers for a wpad.dat file?

WDJay · March 6, 2013, 6:21pm

Then what appears to be happening is that one of your LAN side clients is making an HTTP request for the WAN side interface of the router. That request is being redirected to the web server, and showing up with a source IP of 192.168.1.1, despite the actual requesting system. This is expected when doing an internal NAT redirection.

As previously mentioned, it appears that the wpad.date is related to auto-proxy detection - if you disable that function on your Windows systems, you should see those requests stop.

You can test this by going to http:// and see that the requests in the server logs indeed appear to be coming from 192.168.1.1, even though the router is not generating the request.