From owner-freebsd-security@FreeBSD.ORG  Fri Oct 24 06:27:39 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B23D016A4B3
	for <security@freebsd.org>; Fri, 24 Oct 2003 06:27:39 -0700 (PDT)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 514B943FBD
	for <security@freebsd.org>; Fri, 24 Oct 2003 06:27:36 -0700 (PDT)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id XAA16432;
	Fri, 24 Oct 2003 23:27:07 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Fri, 24 Oct 2003 23:27:07 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Brett Glass <brett@lariat.org>
In-Reply-To: <6.0.0.22.2.20031023221633.03a53358@localhost>
Message-ID: <Pine.BSF.3.96.1031024231002.15097A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: security@freebsd.org
Subject: Re: /var partition overflow (due to spyware?) in FreeBSD  default
	install
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2003 13:27:39 -0000

On Thu, 23 Oct 2003, Brett Glass wrote:

 > At 08:46 PM 10/23/2003, David G. Andersen wrote:
 > 
 > >the problem is very obviously an excess of messages from bind.
 > >This bug report should go to the ISC folks.
 > 
 > Indeed. Or perhaps we can integrate a patch into FreeBSD and
 > then forward it up to ISC.

Perhaps bind is sending an excess of error messages because there are an
excess of errors?  Surely it's easier to fix the problem by disabling or
disallowing whatever or whoever is hitting bind with invalid requests?

 > >No daemon should
 > >be spewing out log messages at the _incredible_ rate that
 > >bind does when it decides it doesn't like what it's getting
 > >in this context.  The same bug can be triggered by using a
 > >forwarding nameserver that bind doesn't like.
 > 
 > Interesting. What does BIND "not like" about certain forwarders?

Why not just enable debug logging and find the heck out?  Still using
bind 4 here :) but I'm sure that two, three at most, of

 # kill -USR1 `cat /var/run/named.pid`

(ono) will provide copious blow by blow request/response logging.

These get big even faster, but you only need enough for analysis of who
or what's generating this unexpected traffic.  ipfw deny works a treat.

 > >The immediate question to ask is, "is this fixed in bind9?"

Is it bind that's broken for saying too much, or something actually
generating those requests and thus error responses, needing fixing?

Cheers, Ian