Date: Mon, 14 May 2001 22:23:28 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Kris Kennaway" <kris@obsecurity.org> Cc: "John Baxter" <jbaxter@mmcable.com>, "Dan Mahoney, System Admin" <danm@prime.gushi.org>, <questions@FreeBSD.ORG> Subject: RE: onitoring named Message-ID: <006b01c0dcff$2c7dff80$1401a8c0@tedm.placo.com> In-Reply-To: <20010514200140.A93481@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: Kris Kennaway [mailto:kris@obsecurity.org] >Sent: Monday, May 14, 2001 8:02 PM >To: Ted Mittelstaedt >Cc: Kris Kennaway; John Baxter; Dan Mahoney, System Admin; >questions@FreeBSD.ORG > >Both: >95% of the reported problems with named crashes on FreeBSD >lists in the past 4 months have been penetration attempts, or at least >occurred to people running vulnerable versions of named with symptoms >perfectly consistent to being attacked. Therefore this is the best >initial diagnosis for people reporting problems with their named, >until they go further and rule it out by indicating that they're >already running 8.2.3-REL or a version of 9.x. At that point more >detailed analysis is obviously required (which perhaps might be better >carried out on the bind support mailing lists). > The only problem with this statistic (assuming the 95% is accurate) is that for it to be a valid indicator, this would require that all the people having problems with bind did, in fact, query the FreeBSD lists first, instead of posting in the newsgroups or mailing lists. This is an interesting debate in and of itself, though. For most programs, (I'll use Sendmail for example) there is a Sendmail-specific support channel in addition to the general FreeBSD questions. I wonder what the percentage of people are who post their question on the general FreeBSD mailing list is, compared to people that post their specific question on the support venue for that specific program. That is one thing that I would caution you about drawing conclusions on - looking at just the things posted on freebsd-questions doesen't really give a good cross section of the problems people are having with FreeBSD, let alone programs on it. There's a lot of people that never post here but use Usenet, and there's a lot of folks that never use either forum but use other forums specific to what they are doing. I'd speculate with bind that only the most greenhorn of bind admins would post in this mailing list, unless it was something obviously directly caused by FreeBSD. I would think that most of them would have gone to the Usenet group comp.protocols.dns.bind first. This also doesen't report on the number of people who queried DejaNews or the search indexes on the FreeBSD mailing lists for answers to their problems first, then found things to try and as a result never posted here (or anywhere) at all. You are right though that anyone running bind on a production system should be running the secured code, and if they are having problems then upgrading to the secured code is a perfectly valid step to take. Of course, upgrading to the current release of software is ALSO the correct step to take when you suspect a plain old software bug, too, so whether they do it for fear of cracking or do it to test for a bug, either way they are going to be upgrading. >> Maybe we ought to tell the next person who complains that their >> nameserver is crashing, that this means their ram is bad and to go >> replace it all. ;-) > >Well, that's also a possible explanation, but not the most likely one. > The only problem with taking troubleshooting steps just for no other reason that they are A Good Thing is that you can easily waste a lot of time chasing down a dry hole when the problem is really somewhere else. I still say that a modicum of analysis and observation applied to troubleshooting a problem is better than a knee-jerk "upgrade it" response. You also risk fixing the problem inadvertently, by accident, and leaving in place the systems that broke it to start with. (and that are just going to break it again in the future) Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006b01c0dcff$2c7dff80$1401a8c0>