The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

named problems (high cpu usage!)

Discussion in 'General Discussion' started by Radio_Head, Feb 24, 2005.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I noticed that named(bind) is using a lot of cpu latest hours , 10% to 30%
    costantly ,

    2325 named 25 0 3920 S 15.9 0.3 0:26 /usr/sbin/named -u named



    which could be the problem and how to find which is the user abusing of bind ?

    Thank you!
     
  2. petfut

    petfut Well-Known Member

    Joined:
    Feb 14, 2005
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    I noticed the same thing on my Fedora 2 server.
    I killed those processes and restarted bind.
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    solved.

    Someone was attacking with dns queries (using tons of different ip address per second)
    a domain name which was closed , but it was still pointing my nameservers .
    If you have the same problem leave me a pm and I will tell you how to solve this kind of problem (I prefer don't post here the solution otherwise the hacker could find turnaround).

    Bye
     
  4. katz_global

    katz_global Well-Known Member
    PartnerNOC

    Joined:
    Oct 18, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hosting from: Panama, Hong Kong, Singapore, Malays
    can you post a way to trace back the dns query synflood to the victim ip?

    thank you

    Scott
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    due to continuos requests I will post here the solution .

    Solution

    a) investigate which is the domain name which is flooding your named
    (using ndc query logging on and examing /var/log/messages)

    b) if the domain is flooded.com check a whois of this domain name

    c) if flooded.com is using your dns (probably yes) create an account for him
    or simply create a dns entry for him .

    d) (optional). Redirect flooded.com to your master account :) to get more traffic :)


    After executed point c) named will return to work normally .
    (In other words if a domain name use your dns but it's not listed as a WHM account
    with his own dns , the hacker could bring an attack to your named , slowing down it.
    I don't know in which way the bring tha attack however ,perhaps requesting multiple dns queries . Hope it helps.
     
    #5 Radio_Head, Jun 5, 2005
    Last edited: Jun 5, 2005
Loading...

Share This Page