Re: /var partition overflow (due to spyware?) in FreeBSD default install
From: Ian Smith (smithi_at_nimnet.asn.au)
Date: 10/24/03
- Previous message: Eric Anderson: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
- In reply to: Brett Glass: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
- Next in thread: Pete Ehlke: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 24 Oct 2003 23:27:07 +1000 (EST) To: Brett Glass <brett@lariat.org>
On Thu, 23 Oct 2003, Brett Glass wrote:
> At 08:46 PM 10/23/2003, David G. Andersen wrote:
>
> >the problem is very obviously an excess of messages from bind.
> >This bug report should go to the ISC folks.
>
> Indeed. Or perhaps we can integrate a patch into FreeBSD and
> then forward it up to ISC.
Perhaps bind is sending an excess of error messages because there are an
excess of errors? Surely it's easier to fix the problem by disabling or
disallowing whatever or whoever is hitting bind with invalid requests?
> >No daemon should
> >be spewing out log messages at the _incredible_ rate that
> >bind does when it decides it doesn't like what it's getting
> >in this context. The same bug can be triggered by using a
> >forwarding nameserver that bind doesn't like.
>
> Interesting. What does BIND "not like" about certain forwarders?
Why not just enable debug logging and find the heck out? Still using
bind 4 here :) but I'm sure that two, three at most, of
# kill -USR1 `cat /var/run/named.pid`
(ono) will provide copious blow by blow request/response logging.
These get big even faster, but you only need enough for analysis of who
or what's generating this unexpected traffic. ipfw deny works a treat.
> >The immediate question to ask is, "is this fixed in bind9?"
Is it bind that's broken for saying too much, or something actually
generating those requests and thus error responses, needing fixing?
Cheers, Ian
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Eric Anderson: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
- In reply to: Brett Glass: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
- Next in thread: Pete Ehlke: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
