Security Incidents mailing list archives
Re: Something new? bind dos? exploit?
From: Dan Merillat <dan () merillat org>
Date: 17 Feb 2004 20:20:41 -0000
In-Reply-To: <402CBDE3.3010308 () avwashington com> (Pardon in advance for formatting problems, I'm stuck posting via the web) Chip Mefford writes:
Feb 13 06:55:40 hostname named[12631]: socket.c:1100: unexpected error: Feb 13 06:55:40 hostname named[12631]: internal_send: 244.254.254.254#53: Invalid argument
While people have pointed out that this is basically just a misconfigured NS record (even if deliberate) it does act as a DOS against bind9 boxes. Hitting a bind9/linux2.4 box with queries for something in proxies.monkeys.com causes it to spew error messages to the logs, eating lots of CPU and eventually crashing bind9. The problem is that it's not treating it as an unreachable host, but reporting the error and attempting again. --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Something new? bind dos? exploit? Chip Mefford (Feb 13)
- Re: Something new? bind dos? exploit? jlewis (Feb 16)
- Re: Something new? bind dos? exploit? Dennis Opacki (Feb 16)
- <Possible follow-ups>
- Re: Something new? bind dos? exploit? Henrik Johansen (Feb 16)
- Re: Something new? bind dos? exploit? Jeffrey Monahan (Feb 16)
- Re: Something new? bind dos? exploit? Dan Merillat (Feb 17)