named problems (high cpu usage!)

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
I noticed that named(bind) is using a lot of cpu latest hours , 10% to 30%
costantly ,

2325 named 25 0 3920 S 15.9 0.3 0:26 /usr/sbin/named -u named



which could be the problem and how to find which is the user abusing of bind ?

Thank you!
 

petfut

Well-Known Member
Feb 14, 2005
60
0
156
I noticed the same thing on my Fedora 2 server.
I killed those processes and restarted bind.
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
solved.

Someone was attacking with dns queries (using tons of different ip address per second)
a domain name which was closed , but it was still pointing my nameservers .
If you have the same problem leave me a pm and I will tell you how to solve this kind of problem (I prefer don't post here the solution otherwise the hacker could find turnaround).

Bye
 

katz_global

Well-Known Member
PartnerNOC
can you post a way to trace back the dns query synflood to the victim ip?

thank you

Scott
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
due to continuos requests I will post here the solution .

Solution

a) investigate which is the domain name which is flooding your named
(using ndc query logging on and examing /var/log/messages)

b) if the domain is flooded.com check a whois of this domain name

c) if flooded.com is using your dns (probably yes) create an account for him
or simply create a dns entry for him .

d) (optional). Redirect flooded.com to your master account :) to get more traffic :)


After executed point c) named will return to work normally .
(In other words if a domain name use your dns but it's not listed as a WHM account
with his own dns , the hacker could bring an attack to your named , slowing down it.
I don't know in which way the bring tha attack however ,perhaps requesting multiple dns queries . Hope it helps.
 
Last edited: