The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

named cause high cpu usages

Discussion in 'Security' started by prashantp786j, May 11, 2013.

  1. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I have facing the high cpu usages issue and found that named causing issue.
    I have disabled the recursion but still getting the queries in the /var/log/messages as :-

    Also installed mod_evasive to block the IPs.

    While adding the domain name in DNS on the server as suggested in post http://forums.cpanel.net/f5/named-problems-high-cpu-usage-36231.html then we received GET request for the server hostname for port 80.

    Can anyone please suggest the proper resolution for this issue?

    I am facing this problem to our number of server once a week.
     
  2. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Hello,

    I would suggest installing CSF, it will temporarily ban Bind server abusers.
    On my conf:

    LF_BIND = "50"
    LF_BIND_PERM = "600"

    So over 50 Denied zone requests will result in 600 Ban.
     
  3. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    we have already enabled the PORTFLOOD on the server
     
  4. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    And, is CSF blocking anybody?
     
  5. cpartsenidis

    cpartsenidis Registered

    Joined:
    May 21, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks Simonas for the tip - I've been trying to deal with a DNS DoS attack for the past two weeks (named.run log file over 25Gigs!) and I believe this will give us some breathing space!

    Cheers,
     
  6. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    You can use the tcpdump utility to filter the hits on port 53 and block ip's or length. Blocking ips based on length will stop the attack completly.

    Replace x.x.x with your main server ip.

    Cheers!!!
     
  7. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I think blocking the IPs is not the permanent solutions As there may be DNS DDOS from different IPs or IP ranges.

    Recently there was named utilizing cpu usages more than 300% and it loads the websites slowly. Can anyone give the proper guidance on this ?
     
  8. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Yes. Blocking ip is effective when the number is less. The effective method is to block using packet size and length. You should be able to see the packet size and length using the following command.

    Code:
    tcpdump -nn -vv net x.x.x and port 53
    I have successfully blocked dns ddos attacks multiple times by blocking it based on length. Just add the iptables rules for both tcp, udp, INPUT and OUTPUT.

    Refer the following url for details.

    http://linuxadministrator.pro/blog/?p=390

    Cheers!!!
     
Loading...

Share This Page