Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

named cause high cpu usages

Discussion in 'Security' started by prashantp786j, May 11, 2013.

  1. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    Hi,

    I have facing the high cpu usages issue and found that named causing issue.
    I have disabled the recursion but still getting the queries in the /var/log/messages as :-

    Also installed mod_evasive to block the IPs.

    While adding the domain name in DNS on the server as suggested in post http://forums.cpanel.net/f5/named-problems-high-cpu-usage-36231.html then we received GET request for the server hostname for port 80.

    Can anyone please suggest the proper resolution for this issue?

    I am facing this problem to our number of server once a week.
     
    #1 prashantp786j, May 11, 2013
  2. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Hello,

    I would suggest installing CSF, it will temporarily ban Bind server abusers.
    On my conf:

    LF_BIND = "50"
    LF_BIND_PERM = "600"

    So over 50 Denied zone requests will result in 600 Ban.
     
    #2 simonas, May 11, 2013
  3. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    we have already enabled the PORTFLOOD on the server
     
    #3 prashantp786j, May 11, 2013
  4. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    And, is CSF blocking anybody?
     
    #4 simonas, May 12, 2013
  5. cpartsenidis

    cpartsenidis Registered

    Joined:
    May 21, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks Simonas for the tip - I've been trying to deal with a DNS DoS attack for the past two weeks (named.run log file over 25Gigs!) and I believe this will give us some breathing space!

    Cheers,
     
    #5 cpartsenidis, May 21, 2013
  6. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    You can use the tcpdump utility to filter the hits on port 53 and block ip's or length. Blocking ips based on length will stop the attack completly.

    Replace x.x.x with your main server ip.

    Cheers!!!
     
    #6 arunsv84, May 21, 2013
  7. prashantp786j

    prashantp786j Active Member

    Joined:
    Jan 16, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    51
    I think blocking the IPs is not the permanent solutions As there may be DNS DDOS from different IPs or IP ranges.

    Recently there was named utilizing cpu usages more than 300% and it loads the websites slowly. Can anyone give the proper guidance on this ?
     
    #7 prashantp786j, Jul 30, 2013
  8. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Yes. Blocking ip is effective when the number is less. The effective method is to block using packet size and length. You should be able to see the packet size and length using the following command.

    Code:
    tcpdump -nn -vv net x.x.x and port 53
    I have successfully blocked dns ddos attacks multiple times by blocking it based on length. Just add the iptables rules for both tcp, udp, INPUT and OUTPUT.

    Refer the following url for details.

    http://linuxadministrator.pro/blog/?p=390

    Cheers!!!
     
    #8 arunsv84, Jul 30, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - named cause high
  1. WiddleWabbit

    Can't Set MySQL General Log to Named Pipe

    WiddleWabbit, Mar 8, 2018, in forum: Database Discussions
    Replies:
    1
    Views:
    112
    cPanelMichael
    Mar 9, 2018
  2. Diogo FC

    Error: You do not have a user named “users_name@subdomain.domain.com"

    Diogo FC, Jan 5, 2018, in forum: E-mail Discussions
    Replies:
    3
    Views:
    262
    cPanelMichael
    Jan 5, 2018
  3. WebHosting-UK

    Named Down When Restarting Server

    WebHosting-UK, Dec 8, 2017, in forum: General Discussion
    Replies:
    2
    Views:
    157
    WebHosting-UK
    Dec 9, 2017
  4. rasanjanad

    Named Down

    rasanjanad, Dec 2, 2017, in forum: Bind / DNS / Nameserver Issues
    Replies:
    1
    Views:
    150
    cPanelMichael
    Dec 4, 2017
  5. macklus

    SOLVED named errors installing cPanel on Proxmox

    macklus, Dec 12, 2016, in forum: Bind / DNS / Nameserver Issues
    Replies:
    2
    Views:
    701
    cPanelMichael
    Dec 13, 2016

Share This Page