Security Incidents mailing list archives

Re: Something new? bind dos? exploit?

From: Dan Merillat <dan () merillat org>
Date: 17 Feb 2004 20:20:41 -0000

In-Reply-To: <402CBDE3.3010308 () avwashington com>


(Pardon in advance for formatting problems, I'm stuck posting via the web)

Chip Mefford writes:

Feb 13 06:55:40 hostname named[12631]: socket.c:1100: unexpected error:
Feb 13 06:55:40 hostname named[12631]: internal_send:
244.254.254.254#53: Invalid argument


While people have pointed out that this is basically
just a misconfigured NS record (even if deliberate) it does act as a DOS against bind9 boxes.

Hitting a bind9/linux2.4 box with queries for something in proxies.monkeys.com causes it to spew error messages to the 
logs, eating lots of CPU and eventually crashing bind9.  The problem is that it's not treating it as an unreachable 
host, but reporting the error and attempting again.

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

Something new? bind dos? exploit? Chip Mefford (Feb 13)
- Re: Something new? bind dos? exploit? jlewis (Feb 16)
- Re: Something new? bind dos? exploit? Dennis Opacki (Feb 16)
- <Possible follow-ups>
- Re: Something new? bind dos? exploit? Henrik Johansen (Feb 16)
- Re: Something new? bind dos? exploit? Jeffrey Monahan (Feb 16)
- Re: Something new? bind dos? exploit? Dan Merillat (Feb 17)