From owner-freebsd-questions Sun Feb 18 22:26:18 2001 Delivered-To: freebsd-questions@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 2791F37B401 for ; Sun, 18 Feb 2001 22:26:14 -0800 (PST) Received: from dougbarton.net (master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id WAA43828; Sun, 18 Feb 2001 22:26:11 -0800 (PST) (envelope-from DougB@dougbarton.net) Message-ID: <3A90BC83.E5EB3018@dougbarton.net> Date: Sun, 18 Feb 2001 22:26:11 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: GB Clark II Cc: freebsd-questions@freebsd.org Subject: Re: BIND 8.2.3-R crashing References: <01021410563903.18874@prime.vsservices.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG GB Clark II wrote: > > Hello, > > I've got a primary name server running BIND 8.2.3-Release. > BIND will crash every so often and need restarted. As a stop-gap I've > got a crontab to ndc restart it every hour. > I suspect a memory problem (we are upgrading to 512MB) but named is a memory pig... it's vital that it has a solid system to run on, and deadly for it to swap. > I do see the following from BIND every so often: > > Feb 14 04:26:23 a2 named[125]: dropping source port zero packet from [63.229.217 > .207].0 > Feb 14 04:26:35 a2 last message repeated 8 times > > It looks like an attack but I'm not real sure. Anyone have an idea on this? That does look suspicious, yes. There's no good reason to allow traffic from source port zero, and IIRC there are some system exploits that have that source port, so I'd block it at your border. Good luck, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message