Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

named cause high cpu usages

Discussion in 'Security' started by prashantp786j, May 11, 2013.

  1. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    Hi,

    I have facing the high cpu usages issue and found that named causing issue.
    I have disabled the recursion but still getting the queries in the /var/log/messages as :-

    Also installed mod_evasive to block the IPs.

    While adding the domain name in DNS on the server as suggested in post http://forums.cpanel.net/f5/named-problems-high-cpu-usage-36231.html then we received GET request for the server hostname for port 80.

    Can anyone please suggest the proper resolution for this issue?

    I am facing this problem to our number of server once a week.
     
    #1 prashantp786j, May 11, 2013
  2. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Hello,

    I would suggest installing CSF, it will temporarily ban Bind server abusers.
    On my conf:

    LF_BIND = "50"
    LF_BIND_PERM = "600"

    So over 50 Denied zone requests will result in 600 Ban.
     
    #2 simonas, May 11, 2013
  3. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    we have already enabled the PORTFLOOD on the server
     
    #3 prashantp786j, May 11, 2013
  4. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    And, is CSF blocking anybody?
     
    #4 simonas, May 12, 2013
  5. cpartsenidis

    cpartsenidis Registered

    Joined:
    May 21, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks Simonas for the tip - I've been trying to deal with a DNS DoS attack for the past two weeks (named.run log file over 25Gigs!) and I believe this will give us some breathing space!

    Cheers,
     
    #5 cpartsenidis, May 21, 2013
  6. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    You can use the tcpdump utility to filter the hits on port 53 and block ip's or length. Blocking ips based on length will stop the attack completly.

    Replace x.x.x with your main server ip.

    Cheers!!!
     
    #6 arunsv84, May 21, 2013
  7. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    I think blocking the IPs is not the permanent solutions As there may be DNS DDOS from different IPs or IP ranges.

    Recently there was named utilizing cpu usages more than 300% and it loads the websites slowly. Can anyone give the proper guidance on this ?
     
    #7 prashantp786j, Jul 30, 2013
  8. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Yes. Blocking ip is effective when the number is less. The effective method is to block using packet size and length. You should be able to see the packet size and length using the following command.

    Code:
    tcpdump -nn -vv net x.x.x and port 53
    I have successfully blocked dns ddos attacks multiple times by blocking it based on length. Just add the iptables rules for both tcp, udp, INPUT and OUTPUT.

    Refer the following url for details.

    http://linuxadministrator.pro/blog/?p=390

    Cheers!!!
     
    #8 arunsv84, Jul 30, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - named cause high
  1. macklus

    SOLVED named errors installing cPanel on Proxmox

    macklus, Dec 12, 2016, in forum: Bind / DNS / Nameserver Issues
    Replies:
    2
    Views:
    380
    cPanelMichael
    Dec 13, 2016
  2. mesranet

    Named problem after upgrade kernel

    mesranet, Nov 25, 2016, in forum: Bind / DNS / Nameserver Issues
    Replies:
    2
    Views:
    497
    cPanelMichael
    Nov 28, 2016
  3. suberjin

    exim.conf rebuild fails with " too many named host lists (max is 16)" error

    suberjin, Sep 24, 2016, in forum: E-mail Discussions
    Replies:
    5
    Views:
    636
    cPanelMichael
    Feb 16, 2017
  4. shazde

    Changes to DNS zone files under /var/named do not show up under whm zone editor

    shazde, Jun 5, 2016, in forum: Bind / DNS / Nameserver Issues
    Replies:
    3
    Views:
    931
    cPanelMichael
    Jun 14, 2016
  5. Rajesh Chauhan

    MySQL, named, Spamd are down No space left

    Rajesh Chauhan, May 11, 2016, in forum: General Discussion
    Replies:
    2
    Views:
    581
    cPanelMichael
    May 25, 2016

Share This Page