Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

named cause high cpu usages

Discussion in 'Security' started by prashantp786j, May 11, 2013.

  1. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    Hi,

    I have facing the high cpu usages issue and found that named causing issue.
    I have disabled the recursion but still getting the queries in the /var/log/messages as :-

    Also installed mod_evasive to block the IPs.

    While adding the domain name in DNS on the server as suggested in post http://forums.cpanel.net/f5/named-problems-high-cpu-usage-36231.html then we received GET request for the server hostname for port 80.

    Can anyone please suggest the proper resolution for this issue?

    I am facing this problem to our number of server once a week.
     
    #1 prashantp786j, May 11, 2013
  2. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Hello,

    I would suggest installing CSF, it will temporarily ban Bind server abusers.
    On my conf:

    LF_BIND = "50"
    LF_BIND_PERM = "600"

    So over 50 Denied zone requests will result in 600 Ban.
     
    #2 simonas, May 11, 2013
  3. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    we have already enabled the PORTFLOOD on the server
     
    #3 prashantp786j, May 11, 2013
  4. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    And, is CSF blocking anybody?
     
    #4 simonas, May 12, 2013
  5. cpartsenidis

    cpartsenidis Registered

    Joined:
    May 21, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks Simonas for the tip - I've been trying to deal with a DNS DoS attack for the past two weeks (named.run log file over 25Gigs!) and I believe this will give us some breathing space!

    Cheers,
     
    #5 cpartsenidis, May 21, 2013
  6. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    You can use the tcpdump utility to filter the hits on port 53 and block ip's or length. Blocking ips based on length will stop the attack completly.

    Replace x.x.x with your main server ip.

    Cheers!!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 arunsv84, May 21, 2013
  7. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    I think blocking the IPs is not the permanent solutions As there may be DNS DDOS from different IPs or IP ranges.

    Recently there was named utilizing cpu usages more than 300% and it loads the websites slowly. Can anyone give the proper guidance on this ?
     
    #7 prashantp786j, Jul 30, 2013
  8. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Yes. Blocking ip is effective when the number is less. The effective method is to block using packet size and length. You should be able to see the packet size and length using the following command.

    Code:
    tcpdump -nn -vv net x.x.x and port 53
    I have successfully blocked dns ddos attacks multiple times by blocking it based on length. Just add the iptables rules for both tcp, udp, INPUT and OUTPUT.

    Refer the following url for details.

    http://linuxadministrator.pro/blog/?p=390

    Cheers!!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 arunsv84, Jul 30, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - named cause high
  1. marjwyatt

    named.service killed after clamd fail

    marjwyatt, Oct 27, 2018, in forum: General Discussion
    Replies:
    8
    Views:
    138
    marjwyatt
    Oct 29, 2018
  2. _jman

    PowerDNS also-notify syntax error when reading from named.conf

    _jman, Sep 8, 2018, in forum: Bind/DNS/Nameserver
    Replies:
    1
    Views:
    180
    cPanelMichael
    Sep 12, 2018
  3. WebHostPro

    SOLVED How do you stop named from creating named.run files?

    WebHostPro, May 22, 2018, in forum: Bind/DNS/Nameserver
    Replies:
    5
    Views:
    269
    cPanelMichael
    May 29, 2018
  4. WiddleWabbit

    Can't Set MySQL General Log to Named Pipe

    WiddleWabbit, Mar 8, 2018, in forum: Database Discussion
    Replies:
    1
    Views:
    373
    cPanelMichael
    Mar 9, 2018
  5. Diogo FC

    Error: You do not have a user named “users_name@subdomain.domain.com"

    Diogo FC, Jan 5, 2018, in forum: E-mail Discussion
    Replies:
    3
    Views:
    671
    cPanelMichael
    Jan 5, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice