From owner-freebsd-isp Fri May 1 16:36:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA15925 for freebsd-isp-outgoing; Fri, 1 May 1998 16:36:56 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from netdev.comsys.com (netdev.comsys.com [192.94.236.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA15919; Fri, 1 May 1998 16:36:51 -0700 (PDT) (envelope-from alex@comsys.com) Received: from comsys.com (c-serv3.sopris.net [209.38.22.167]) by netdev.comsys.com (8.8.8/8.8.8) with ESMTP id RAA09927; Fri, 1 May 1998 17:42:13 -0600 (MDT) Message-ID: <354A5C46.CCB78D9E@comsys.com> Date: Fri, 01 May 1998 16:35:34 -0700 From: Alex Huppenthal X-Mailer: Mozilla 4.05 [en] (Win95; I) MIME-Version: 1.0 To: michael@blueneptune.com CC: freebsd-isp@FreeBSD.ORG, mmoran@veronet.net, dyson@FreeBSD.ORG, batie@agora.rdrop.com, LutzRab@omc.net, robseco@moat.teksupport.net.au Subject: Re: Named disappeared References: <199805012229.PAA01307@rainey.blueneptune.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I agree entirely. Over the past few days, our DNS has been attacked. We've just upgraded to the latest bind. Setup was painless. A handy script for converting /etc/named.boot to the new named.conf is included, and worked fine. We've tested access, zone transfers and things look much better. Our symptom was DNS name resolution on a few sites stopped working, until named was restarted. We also had a core file dumped on another system. -Alex michael@blueneptune.com wrote: > > We also had two of our nameservers, one in Melbourne and one in Canberra go > > down within seconds of each other. > > > > May 1 19:51:29 canberra /kernel: pid 70: named: uid 0: exited on signal 11 > > May 1 19:51:32 wizard /kernel.256: pid 70 (named), uid 0: exited on signal 11 > > > > This appears a global problem. > > This looks more and more like somebody out there is launching a large-scale > attack against the security problems outlined in the recent CERT advisory. > Unless I'm reading the advisory wrong, a "signal 11" crash is certainly one > of the possible outcomes of somebody hitting your nameservers with an exploit > directed at these problems. > > Here are the URLs again, giving the CERT advisory, and the page from which > you can download the latest BIND, either 4.* or 8.*, depending on your > preferences: > > http://www.cert.org/advisories/CA-98.05.bind_problems.html > http://www.isc.org/new-bind.html > > I upgraded all of our servers, which were running an embarassingly old > version of named (and FreeBSD), to use the new 4.9.7, with little effort > at all. No configuration changes were needed, just unpack, build and > install as instructed. It couldn't have been much simpler. [I'd also > recommend that if you are currently running 4.*, that you upgrade first > to 4.9.7 to protect against the problems, then upgrade to 8.* at your > leisure, if you want.] > > -- > Michael Bryan > michael@blueneptune.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message