Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 May 2001 00:52:58 -0700
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "John Baxter" <jbaxter@mmcable.com>
Cc:        "Dan Mahoney, System Admin" <danm@prime.gushi.org>, "Kris Kennaway" <kris@obsecurity.org>, <questions@FreeBSD.ORG>
Subject:   RE: onitoring named
Message-ID:  <009201c0dc4a$e4ace2c0$1401a8c0@tedm.placo.com>
In-Reply-To: <3AFF6511.E1A8B996@mmcable.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I happen to run (and no, I'm not going to tell you the IP
number or what or where it is and no you can't discover it
via querying my various published domains) a nameserver that
is fairly busy and is running on ancient, archaic, holey
bind code.  Is it scheduled to be updated?  Certainly.  Have
I gotten to it yet? No.  Would I be that concerned if someone
broke into the system _right now_?  no, not particularly since
there's nothing on that system that's valuable, and it happens
to be one of several secondary DNS servers

The point is, is that archaic, holey bind code has NOT
"occassionally" died, with the regularity that Dan's has
seemed to do.  This nameserver is open to the public same
as any other nameserver on the Internet and even since all the
"chinese hacks" crap has been released I've been eagerly
waiting to see it start going down or otherwise show evidence
of lots of crack attacks - because this is what all the
security facists have been telling the world.  You might say that
I'm keeping it running as a sort of a "canary in the coal mine",
as bait to attract crackers.

However, I have been very disappointed to note no real increase in
trouble from this server.  Sure every once in a few months it might
go offline for no reason, but it was doing that long before any of these
advisories came out.

The conclusion I have drawn from this is that most of the stories
of crashing nameservers do not, in fact, have anything to do with
crack attacks, but rather with improper nameserver configuration, or
bugs in the nameserver code itself.  Sure, no doubt there has been
a lot of nameservers cracked into, but I think that if you looked you
would find a gigantic number - probably the majority still - of nameservers
on the Internet are running archaic, holey code and I see no evidence that
the Internet has melted down as a result.

Before all the "chinese hacks" against bind were released, there were
plenty of complaints out there by people saying their nameservers were
crashing for no reason.  These generally were answered on the appropriate
mailing lists by rather dull and unexciting pointers like "look at
this wrong setting you have or that wrong setting you have" and when people
got those responses they buckled down to work and solved the problems.

Today, the most commmon response I see to nameserver problems is
"oh, your nameserver MUST have been hacked".  This is an exciting, sexy
answer that just about anyone can give.  It requires no real understanding
of DNS by either the giver or the receiver.  I guess I'm just getting sick
and tired of hearing it because my own experience is that most likely the
problem is that the DNS server has, in fact, NOT been cracked, and
that the problem is something more subtle.

Ted Mittelstaedt                      tedm@toybox.placo.com
Author of:          The FreeBSD Corporate Networker's Guide
Book website:         http://www.freebsd-corp-net-guide.com


>-----Original Message-----
>From: owner-freebsd-questions@FreeBSD.ORG
>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of John Baxter
>Sent: Sunday, May 13, 2001 9:55 PM
>To: Ted Mittelstaedt
>Cc: Dan Mahoney, System Admin; Kris Kennaway; questions@FreeBSD.ORG
>Subject: Re: onitoring named
>
>
>you should visit cert.org and search for 'lion worm'.
>it is a chinese hack kit.
>
>
>
>
>Ted Mittelstaedt wrote:
>>
>> You might check into the system ram that the named process is
>> using for it's cache.  You may be overflowing an internal table
>> or so.  What are your MAXUSERS set to in the kernel and do you
>> have any other kernel variables defined?
>>
>> Ted Mittelstaedt                      tedm@toybox.placo.com
>> Author of:          The FreeBSD Corporate Networker's Guide
>> Book website:         http://www.freebsd-corp-net-guide.com
>>
>> >-----Original Message-----
>> >From: owner-freebsd-questions@FreeBSD.ORG
>> >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Dan Mahoney,
>> >System Admin
>> >Sent: Saturday, May 12, 2001 9:49 AM
>> >To: Kris Kennaway
>> >Cc: questions@FreeBSD.ORG
>> >Subject: Re: onitoring named
>> >
>> >
>> >On Fri, 11 May 2001, Kris Kennaway wrote:
>> >
>> >> On Sat, May 12, 2001 at 01:17:56AM -0400, Dan Mahoney, System
>> >Admin wrote:
>> >> > Hi all.  I noticed recently that I've had a high occurence of
>> >named dying
>> >> > on various machines.  What would I put in a crontab to restart
>> >it only if
>> >> > it's not running?  I'm not sure how to format the if statement.
>> >
>> >Okay, on a freeBSD 3.2-Release server I found an implementation of NDC
>> >that was written as a (buggy, but easily fixed) shell script.  I have
>> >installed this on my 4.2 boxen as "shndc", and run it from a
>crontab every
>> >20 minutes.
>> >
>> >My nameservers are both very secure dedicated machines that, other than
>> >webmin (boss's requirement) run nothing but DNS service.  Occasionally I
>> >see them die on signal 11, more often with no explanation at all.  These
>> >are the latest version, running in the most secure fashion I
>can get info
>> >on. (chrooted as an unprivileged user, with quotas).  Has
>anyone else had
>> >problems with named dying?
>> >
>> >-Dan
>> >
>> >>
>> >> Aren't you at all worried WHY they're dying?  I bet you're running
>> >> older versions than 8.2.3-RELEASE and you're suffering the effects of
>> >> (attempted, possibly successful) root penetration.
>> >>
>> >> Kris
>> >>
>> >
>> >--
>> >
>> >I am now a lesbian.  I don't like men, but thank you for writing.
>> >
>> >-Reply to my response to a personal ad, May 30th, 1998.
>> >
>> >
>> >--------Dan Mahoney--------
>> >Techie,  Sysadmin,  WebGeek
>> >Gushi on efnet/undernet IRC
>> >ICQ: 13735144   AIM: LarpGM
>> >Web: http://prime.gushi.org
>> >finger danm@prime.gushi.org
>> >for pgp public key and tel#
>> >---------------------------
>> >
>> >
>> >
>> >To Unsubscribe: send mail to majordomo@FreeBSD.org
>> >with "unsubscribe freebsd-questions" in the body of the message
>> >
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-questions" in the body of the message
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009201c0dc4a$e4ace2c0$1401a8c0>