From owner-freebsd-isp Sat Jul 8 17:22:59 2000 Delivered-To: freebsd-isp@freebsd.org Received: from shell.csocs.com (shell.csocs.com [207.49.21.231]) by hub.freebsd.org (Postfix) with ESMTP id BE49F37B72D for ; Sat, 8 Jul 2000 17:22:55 -0700 (PDT) (envelope-from admin@csocs.com) Received: from csocs.com (fuzzy.csocs.com [209.64.46.30]) by shell.csocs.com (8.9.3/8.9.3) with ESMTP id SAA39334 for ; Sat, 8 Jul 2000 18:20:29 -0600 (MDT) (envelope-from admin@csocs.com) Message-ID: <3967C586.DAEF4D37@csocs.com> Date: Sat, 08 Jul 2000 18:21:26 -0600 From: J & C Frazier Organization: CSOCS Internet Services X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-isp@freebsd.org Subject: Namedb attacks Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not quite sure if this is the right list, but I figure you all would know more about this problem then anyone, so here it is: The past week or so I've gotten a temendous amount of error messages coming from namedb. Jul 3 17:14:46 shell named[197]: dropping source port zero packet from [211.72.48.17].0 Jul 3 17:14:50 shell named[197]: dropping source port zero packet from [211.72.48.9].0 Jul 3 18:15:33 shell named[197]: dropping source port zero packet from [211.72.158.249].0 Jul 3 18:15:37 shell named[197]: dropping source port zero packet from [211.72.159.1].0 I'm getting these every minute on average. I do not have any affiliation with that block of addresses and they are not on my network. I've sent mail to the listed owner of those addresses with no response. I haven't found anything in bugtraq similar for namedb. The addresses vary, but are all in the 211.72.*.* B class block. I've added the following to ipfw: 12345 0 0 unreach host tcp from 211.72.0.0 to any 12346 0 0 unreach host udp from 211.72.0.0 to any And as you can see it hasn't caught anything or blocked anything. I had initially assumed it was a DoS on bind, as every 20 minutes or so it will cause bind to reload it's zones. Bind is running in a sandbox also. Then to make matters worse, a few strange things happened last night. My cgi shopping cart lost all it's datafiles, along with a few other strange happenings. Jul 7 21:21:58 shell /kernel: pid 27004 (doscmd), uid 1013: exited on signal 10 (core dumped) Jul 8 04:52:37 shell ftpd[35348]: getpeername (./ftpd): Socket operation on non-socket Jul 8 11:31:03 shell inetd[37173]: warning: can't get client address: Connection reset by peer Any insight or help would be greatly appreciated. I'm running 3.4-STABLE on an ASUS board with dual PII 450's and 512mb RAM. Cvsupped and built last on Sun May 14 14:05:57 MDT 2000. J.C. Frazier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message