From owner-freebsd-isp Fri May 1 15:25:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA05081 for freebsd-isp-outgoing; Fri, 1 May 1998 15:25:33 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from rainey.blueneptune.com (root@rainey.blueneptune.com [209.133.45.253]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA05062; Fri, 1 May 1998 15:25:30 -0700 (PDT) (envelope-from michael@rainey.blueneptune.com) Received: (from michael@localhost) by rainey.blueneptune.com (8.8.8/8.8.7) id PAA01307; Fri, 1 May 1998 15:29:28 -0700 (PDT) (envelope-from michael) Message-Id: <199805012229.PAA01307@rainey.blueneptune.com> Subject: Re: Named disappeared To: freebsd-isp@FreeBSD.ORG Date: Fri, 1 May 1998 15:29:28 -0700 (PDT) Cc: mmoran@veronet.net, dyson@FreeBSD.ORG, batie@agora.rdrop.com, LutzRab@omc.net, robseco@moat.teksupport.net.au In-Reply-To: <199805012109.HAA01689@moat.teksupport.net.au> from "Rob Secombe" at May 2, 98 07:29:09 am From: michael@blueneptune.com Reply-To: michael@blueneptune.com X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > We also had two of our nameservers, one in Melbourne and one in Canberra go > down within seconds of each other. > > May 1 19:51:29 canberra /kernel: pid 70: named: uid 0: exited on signal 11 > May 1 19:51:32 wizard /kernel.256: pid 70 (named), uid 0: exited on signal 11 > > This appears a global problem. This looks more and more like somebody out there is launching a large-scale attack against the security problems outlined in the recent CERT advisory. Unless I'm reading the advisory wrong, a "signal 11" crash is certainly one of the possible outcomes of somebody hitting your nameservers with an exploit directed at these problems. Here are the URLs again, giving the CERT advisory, and the page from which you can download the latest BIND, either 4.* or 8.*, depending on your preferences: http://www.cert.org/advisories/CA-98.05.bind_problems.html http://www.isc.org/new-bind.html I upgraded all of our servers, which were running an embarassingly old version of named (and FreeBSD), to use the new 4.9.7, with little effort at all. No configuration changes were needed, just unpack, build and install as instructed. It couldn't have been much simpler. [I'd also recommend that if you are currently running 4.*, that you upgrade first to 4.9.7 to protect against the problems, then upgrade to 8.* at your leisure, if you want.] -- Michael Bryan michael@blueneptune.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message