From owner-freebsd-security Thu Jan 23 13:33:51 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55ED837B401 for ; Thu, 23 Jan 2003 13:33:49 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id D82EC43EB2 for ; Thu, 23 Jan 2003 13:33:48 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h0NLXhvD085858 for ; Thu, 23 Jan 2003 15:33:43 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200301232133.h0NLXhvD085858@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Date: Thu, 23 Jan 2003 15:33:43 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What we had was a compromised system that appears to be running some sort of denial of service script that crashes bind9.2.1 and possibly other versions. The problem is reportedly fixed in bind9.2.2. Our site has been using the latest versions of bind for close to a decade and that is the first time we have gotten hit. If you have a system with lots of storage on it, keep good logs. 99.999% of what gets logged is hardly worth looking at, but that last message before bind crashed was worth all that space since we would have still been scratching our heads and wondering what happened and when might it happen again. I have all the CRIT messages on the name server sent to our FreeBSD work station and that told us when things went wrong. The usual format of the messages changed giving us messages that identified the host sending with its IP number rather than its host name. I run bind in a root jail so I have a little shell script to restart it correctly so I just kept bringing it back up until one of our other network folks turned off the port of the compromised system. The advantage of that is that you can quickly send the correct commands even when your display is being trashed with all the distress calls which are a result of having no dns. The drill is to log on, type the command to restart bind, notice the brief lull in the carnage, wait for it to start again, and hit !!. The other advantage to having the startup script is you can easily tell a coworker to just run that script and bind runs under the correct UID and GID. Some years ago, when things weren't as robust as they have gotten, I used to run a cron job every minute to restart bind and dhcpd if they should die. I guess I should revive those scripts and update them to fit the present configuration. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message