Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Jan 2003 15:33:43 -0600
From:      Martin McCormick <martin@dc.cis.okstate.edu>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Limiting icmp unreach response from 231 to 200 packets per second 
Message-ID:  <200301232133.h0NLXhvD085858@dc.cis.okstate.edu>

next in thread | raw e-mail | index | archive | help
	What we had was a compromised system that appears to be
running some sort of denial of service script that crashes
bind9.2.1 and possibly other versions.  The problem is reportedly
fixed in bind9.2.2.

	Our site has been using the latest versions of bind for
close to a decade and that is the first time we have gotten hit.

	If you have a system with lots of storage on it, keep
good logs.  99.999% of what gets logged is hardly worth looking
at, but that last message before bind crashed was worth all that
space since we would have still been scratching our heads and
wondering what happened and when might it happen again.

	I have all the CRIT messages on the name server sent to
our FreeBSD work station and that told us when things went wrong.

	The usual format of the messages changed giving us
messages that identified the host sending with its IP number
rather than its host name.

	I run bind in a root jail so I have a little shell script
to restart it correctly so I just kept  bringing it back up until
one of our other network folks turned off the port of the
compromised system.  The advantage of that is that you can
quickly send the correct commands even when your display is being
trashed with all the distress calls which are a result of having
no dns.

	The drill is to log on, type the command to restart bind,
notice the brief lull in the carnage, wait for it to start again,
and hit !!.

	The other advantage to having the startup script is you
can easily tell a coworker to just run that script and bind runs
under the correct UID and GID.

	Some years ago, when things weren't as robust as they
have gotten, I used to run a cron job every minute to restart
bind and dhcpd if they should die.  I guess I should revive those
scripts and update them to fit the present configuration.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Center for Computing and Information Services Network Operations Group

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301232133.h0NLXhvD085858>