Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

HIgh CPU usage on named (bind)

Discussion in 'Security' started by etoppl, Jan 12, 2015.

  1. etoppl

    etoppl Registered

    Jan 17, 2008
    Likes Received:
    Trophy Points:
    Last few months we ve noticed that our hosting servers suffer high cpu usage (even 24 cores ones)

    After examination it showe that the cause is simple: named causes high load.

    The cause was DNS DOS queries (even if the server is set up as authoritative only, and is not an open resolver)

    To fix this we managed a script that is able to recognise the attacking ip and block it via csf.

    to implement it :

    1. install CSF (Config Server Firewall) and enable (testing=0)
    2. make a script in /root
    #touch /root/
    #vi /root/
    then copy/paste:
    rm -f /tmp/dnsddos.catch
    rm -f /tmp/dnsddos.count
    touch /tmp/dnsddos.count
    tcpdump -i eth0  -n -c 200 udp dst portrange 53 |cut -f3 -d' ' |cut -f1-4 -d '.' |grep -v $a |grep -v packets > /tmp/dnsddos.catch
    uniq  -c -d  /tmp/dnsddos.catch | sed -e 's/^ *//' -e 's/ *$//' > /tmp/dnsddos.count
    for i in $(cat /tmp/dnsddos.count)
            c=$(echo $i |cut -f1 -d' ')
            p=$(echo $i |cut -f2 -d' ')
            if test $c -ge 60
                    /usr/sbin/csf -d $p ' DNS DDOSER'
    3. change a= line to something like a=192.168.0  using 3 first records of your server ip instead of 192.168.0
    4. #chmod 777 /root/
    5. edit /etc/csf/csf.conf
    and change lines below to be as :
    PT_LOAD = "30"
    PT_LOAD_AVG = "1"
    PT_LOAD_LEVEL = "10"
    PT_LOAD_SKIP = "900"
    PT_LOAD_ACTION = "/root/"
    6.#/etc/init.d/csf restart

    Now when dns ddoser will be tryng to flood you with requests the firewall autamatically block attacker ip causing load to drop dramatically.

    Well it is just 1st version of the script so feel free to improve that.

    Best Regards
    Konrad Olszewski
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    Thank you for taking the time to provide this script. I've moved this to our "Security" forum as it will likely receive more user-feedback and visibility here.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice