From owner-freebsd-questions@FreeBSD.ORG  Tue Dec 16 12:01:38 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 750ED16A4CF
	for <questions@freebsd.org>; Tue, 16 Dec 2003 12:01:38 -0800 (PST)
Received: from natsmtp00.webmailer.de (natsmtp00.rzone.de [81.169.145.165])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EB4CF43D33
	for <questions@freebsd.org>; Tue, 16 Dec 2003 12:01:35 -0800 (PST)
	(envelope-from Robert.Eckardt@Robert-Eckardt.de)
Received: from quasar.eckardt.org (p5080B04C.dip.t-dialin.net [80.128.176.76])
	by post.webmailer.de (8.12.10/8.12.10) with ESMTP id hBGK1Yvj028158
	for <questions@freebsd.org>; Tue, 16 Dec 2003 21:01:34 +0100 (MET)
Received: from roberte.no-ip.org (localhost.eckardt.org [127.0.0.1])
	by quasar.eckardt.org (8.12.9/8.12.6) with ESMTP id hBGK1XJE030157
	for <questions@freebsd.org>; Tue, 16 Dec 2003 21:01:34 +0100 (CET)
	(envelope-from Robert.Eckardt@Robert-Eckardt.de)
From: "Robert Eckardt" <Robert.Eckardt@Robert-Eckardt.de>
To: questions@freebsd.org
Date: Tue, 16 Dec 2003 22:01:33 +0100
Message-Id: <20031216191701.M14568@Robert-Eckardt.de>
X-Mailer: Open WebMail 2.10 20030617
X-OriginatingIP: 192.168.0.190 (roberte)
MIME-Version: 1.0
Content-Type: text/plain;
	charset=iso-8859-1
Subject: DOS of named
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2003 20:01:38 -0000

Hi,

what measures can I take against this irregular appearing Denial-Of-Service
attacks of named which is filling my logfiles (messages, daemon, all.log)
with messages like "sysquery: no addrs found for root NS" for minutes at
a rate of 4000 lines/sec?

I'm using named 8.3.3-REL on FBSD-5.0R.

There is no indication that ipfw is blocking anything as denied packets
are logged by default. (Well, at least not from any name servers.)

This phenomenon happens irregularly after a few days/weeks/months.
This last event, for example, happend after 4 days uptime, the one before
after over 42 days.
Searching in the archives pointed me to 
a) some issue with the named.cache file which I updated weeks ago and 
   which is still up-to-date
b) the firewall blocking the answer from a root-server (see above)
c) and of course the arrogance of a developer suggesting to use a larger
   filesystem for logs as nothing is wrong with an application logging
   every error.

Thus, nothing to solve the problem or to find the true cause.

An "nslookup 198.41.0.4 a.root-servers.net." produces
Authoritative answers can be found from:
198.in-addr.arpa        nameserver = chia.ARIN.NET
198.in-addr.arpa        nameserver = dill.ARIN.NET
198.in-addr.arpa        nameserver = henna.ARIN.NET
198.in-addr.arpa        nameserver = indigo.ARIN.NET
198.in-addr.arpa        nameserver = epazote.ARIN.NET
198.in-addr.arpa        nameserver = figwort.ARIN.NET
198.in-addr.arpa        nameserver = ginseng.ARIN.NET
*** Can't find server name for address 198.41.0.4: No information
*** Default servers are not available

Tcpdump shows the following transfer, nothing more:
tcpdump: listening on tun0
20:47:47.288874 80.128.176.76.63384 > 198.41.0.4.domain:  18833+ PTR? 
4.0.41.198.in-addr.arpa. (41)
0x0000   4500 0045 9dbf 0000 4011 15ef 5080 b04c        E..E....@...P..L
0x0010   c629 0004 f798 0035 0031 0b4a 4991 0100        .).....5.1.JI...
0x0020   0001 0000 0000 0000 0134 0130 0234 3103        .........4.0.41.
0x0030   3139 3807 696e 2d61 6464 7204 6172 7061        198.in-addr.arpa
0x0040   0000 0c00 01                                   .....
20:47:47.443400 198.41.0.4.domain > 80.128.176.76.63384:  18833- 0/7/0 (194) 
(DF)
0x0000   4500 00de 0000 4000 3411 7f15 c629 0004        E.....@.4....)..
0x0010   5080 b04c 0035 f798 00ca 7663 4991 8100        P..L.5....vcI...
0x0020   0001 0000 0007 0000 0134 0130 0234 3103        .........4.0.41.
0x0030   3139 3807 696e 2d61 6464 7204 6172 7061        198.in-addr.arpa
0x0040   0000 0c00 01c0 1300 0200 0100 0151 8000        .............Q..
0x0050   0f04 6368 6961 0441 5249 4e03 4e45 5400        ..chia.ARIN.NET.
0x0060   c013 0002 0001 0001 5180 0007 0464 696c        ........Q....dil
0x0070   6cc0 3ac0 1300 0200 0100 0151 8000 0805        l.:........Q....
0x0080   6865 6e6e 61c0 3ac0 1300 0200 0100 0151        henna.:........Q
0x0090   8000 0906 696e 6469 676f c03a c013 0002        ....indigo.:....
0x00a0   0001 0001 5180 000a 0765 7061 7a6f 7465        ....Q....epazote
0x00b0   c03a c013 0002 0001 0001 5180 000a 0766        .:........Q....f
0x00c0   6967 776f 7274 c03a c013 0002 0001 0001        igwort.:........
0x00d0   5180 000a 0767 696e 7365 6e67 c03a             Q....ginseng.:
^C


Thanks in advance,
Robert

PS: BTW, is there a search engine on freebsd.org for the archives or
    do I have to stay with google, which becomes less usable each day?)