Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 08 Jul 2000 18:21:26 -0600
From:      J & C Frazier <admin@csocs.com>
To:        freebsd-isp@freebsd.org
Subject:   Namedb attacks
Message-ID:  <3967C586.DAEF4D37@csocs.com>
next in thread | raw e-mail | index | archive | help 
Not quite sure if this is the right list, but I figure you all would
know
more about this problem then anyone, so here it is:  The past week
or so I've gotten a temendous amount of error messages coming from
namedb.
Jul  3 17:14:46 shell named[197]: dropping source port zero packet from
[211.72.48.17].0
Jul  3 17:14:50 shell named[197]: dropping source port zero packet from
[211.72.48.9].0
Jul  3 18:15:33 shell named[197]: dropping source port zero packet from
[211.72.158.249].0
Jul  3 18:15:37 shell named[197]: dropping source port zero packet from
[211.72.159.1].0

I'm getting these every minute on average.  I do not have any
affiliation with
that block of addresses and they are not on my network.  I've sent mail
to
the listed owner of those addresses with no response.  I haven't found
anything
in bugtraq similar for namedb.  The addresses vary, but are all in the
211.72.*.*
B class block.  I've added the following to ipfw:
12345        0          0 unreach host tcp from 211.72.0.0 to any
12346        0          0 unreach host udp from 211.72.0.0 to any
And as you can see it hasn't caught anything or blocked anything.  I had
initially
assumed it was a DoS on bind, as every 20 minutes or so it will cause
bind to
reload it's zones.  Bind is running in a sandbox also.

Then to make matters worse, a few strange things happened last night.
My
cgi shopping cart lost all it's datafiles, along with a few other
strange happenings.
Jul  7 21:21:58 shell /kernel: pid 27004 (doscmd), uid 1013: exited on
signal 10 (core dumped)
Jul  8 04:52:37 shell ftpd[35348]: getpeername (./ftpd): Socket
operation on non-socket
Jul  8 11:31:03 shell inetd[37173]: warning: can't get client address:
Connection reset by peer

Any insight or help would be greatly appreciated.  I'm running
3.4-STABLE on an ASUS
board with dual PII 450's and 512mb RAM.  Cvsupped and built last on Sun
May 14
14:05:57 MDT 2000.

J.C. Frazier



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3967C586.DAEF4D37>