The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My Bind server is.. attacking???

Discussion in 'Bind / DNS / Nameserver Issues' started by cretu, Apr 21, 2005.

  1. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hello there,
    I am having a heck of the problems on one of our servers. The "named" sits on the top and it seems like bandwidth is leaking pretty fast.

    The logs are showing hundreds of lines:

    " Apr 21 12:26:01 hydra kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=MY_SERVERS_IP DST=SOME_OTHER_VARIOUS_IPs LEN=150 TOS=0x00 PREC=0x00 TTL=64 ID=29567 DF PROTO=UDP SPT=53 DPT=193 LEN=130".

    I have checked for rootkits, etc and nothing shows up on the scanners. I've got APF installed as well.

    I appreciate help on this one. Perhaps, a company that could look into this server and perform security audit...

    Thank you.

    Cretu.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Considering the ports being used (SPT:53 DPT:193) you're either under a DOS attack on named, or have customers with poorly configured Windows PC's. Either way, have you blocked the DST IP addresses in question?
     
Loading...

Share This Page