Date: Fri, 24 Oct 2003 23:27:07 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install Message-ID: <Pine.BSF.3.96.1031024231002.15097A-100000@gaia.nimnet.asn.au> In-Reply-To: <6.0.0.22.2.20031023221633.03a53358@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 23 Oct 2003, Brett Glass wrote: > At 08:46 PM 10/23/2003, David G. Andersen wrote: > > >the problem is very obviously an excess of messages from bind. > >This bug report should go to the ISC folks. > > Indeed. Or perhaps we can integrate a patch into FreeBSD and > then forward it up to ISC. Perhaps bind is sending an excess of error messages because there are an excess of errors? Surely it's easier to fix the problem by disabling or disallowing whatever or whoever is hitting bind with invalid requests? > >No daemon should > >be spewing out log messages at the _incredible_ rate that > >bind does when it decides it doesn't like what it's getting > >in this context. The same bug can be triggered by using a > >forwarding nameserver that bind doesn't like. > > Interesting. What does BIND "not like" about certain forwarders? Why not just enable debug logging and find the heck out? Still using bind 4 here :) but I'm sure that two, three at most, of # kill -USR1 `cat /var/run/named.pid` (ono) will provide copious blow by blow request/response logging. These get big even faster, but you only need enough for analysis of who or what's generating this unexpected traffic. ipfw deny works a treat. > >The immediate question to ask is, "is this fixed in bind9?" Is it bind that's broken for saying too much, or something actually generating those requests and thus error responses, needing fixing? Cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1031024231002.15097A-100000>