Latest Announcemnent
New thread
Status
Not open for further replies.
M

Moggy

Active Member
279
2010
88
0
Noticed a high load on my VPS and in top the named process is constant using 50% cpu

turned on named logging and got hese 2 ip's making multiple requests
Code: 
[root@server2 log]# tail -f /var/log/messages
Sep 15 21:08:07 server2 last message repeated 24 times
Sep 15 21:08:07 server2 named[419]: client 5.153.18.126#22542: query: . IN ANY +E
Sep 15 21:08:07 server2 last message repeated 24 times
Sep 15 21:08:07 server2 named[419]: client 67.2.179.147#57723: query: . IN ANY +E
Sep 15 21:08:07 server2 last message repeated 24 times
Sep 15 21:08:07 server2 named[419]: client 5.153.18.126#1263: query: . IN ANY +E
Sep 15 21:08:07 server2 last message repeated 24 times
Sep 15 21:08:07 server2 named[419]: client 67.2.179.147#34779: query: . IN ANY +E
Sep 15 21:08:07 server2 last message repeated 14 times
Sep 15 21:08:07 server2 named[419]: client 5.153.18.126#45689: query: . IN ANY +E
Sep 15 21:08:07 server2 last message repeated 18 times
Sep 15 21:08:07 server2 named[419]: client 67.2.179.147#49964: query: . IN ANY +E
Sep 15 21:08:08 server2 last message repeated 24 times
Sep 15 21:08:08 server2 named[419]: client 5.153.18.126#51981: query: . IN ANY +E
Sep 15 21:08:08 server2 last message repeated 24 times
Sep 15 21:08:08 server2 named[419]: client 5.153.18.126#45772: query: . IN ANY +E
Sep 15 21:08:08 server2 last message repeated 14 times
Sep 15 21:08:08 server2 named[419]: client 67.2.179.147#10293: query: . IN ANY +E
Sep 15 21:08:08 server2 last message repeated 9 times
Sep 15 21:08:08 server2 named[419]: client 67.2.179.147#50792: query: . IN ANY +E
Sep 15 21:08:08 server2 last message repeated 24 times
Sep 15 21:08:08 server2 named[419]: client 67.2.179.147#30250: query: . IN ANY +E
Sep 15 21:08:08 server2 last message repeated 24 times
Sep 15 21:08:08 server2 named[419]: client 67.2.179.147#16643: query: . IN ANY +E
Sep 15 21:08:08 server2 last message repeated 2 times
Sep 15 21:08:08 server2 named[419]: client 5.153.18.126#47388: query: . IN ANY +E
Sep 15 21:08:09 server2 last message repeated 21 times
Sep 15 21:08:09 server2 named[419]: client 67.2.179.147#6324: query: . IN ANY +E
Sep 15 21:08:09 server2 last message repeated 24 times
Sep 15 21:08:09 server2 named[419]: client 5.153.18.126#1166: query: . IN ANY +E
Sep 15 21:08:09 server2 last message repeated 24 times

Anybody knows why this is, should i block these two ip's
 
7 comments
Ok, thanks

Code: 
[root@server2 log]# cat /var/named/chroot/etc/named.conf
options {
allow-recursion { localhost; };
};

//Kloxo 

include "/etc/kloxo.named.conf";


[root@server2 log]# service named restart
Stopping named: .[  OK  ]
Starting named: [  OK  ]
[root@server2 log]#

it does look better now.

Code: 
26086 named     20   0 88640 4068 1888 S  1.0  0.2   0:02.40 /usr/sbin/named -u named -t /var/named/chroot
 
I had the same problem, seems like i still have so i closed port 53 but attackers still sending packets ...

Check yourself you are into that part of bigger ddos game:

tcpdump -f udp

Also check - http://www.wjunction.com/18-server-management-help/179650-ddos-attack-one-my-vps.html

//Btw also my
/var/named/chroot/etc/named.conf

is:

options {
allow-recursion { localhost; };
allow-notify { localhost; };
allow-transfer { localhost; };
};



//Kloxo

include "/etc/kloxo.named.conf";
 
Last edited:
Try to turn of the logging it help for me, after i closed the hole, the logging started to created a high load.

Code: 
[root@server2 ~]# cat /var/named/chroot/etc/named.conf
options {
allow-recursion { localhost; };
};

logging {
category ncache { null; };
category security { null; };
category lame-servers{ null; };
};

//Kloxo 

include "/etc/kloxo.named.conf";
 
service named stop for me :D i stopped it but once someone find that "security hole" you are going to be used as one of the attacker in one bigger ddos ... Since time before i had allow-recursion set no i dont know how the hell it stay opened to the world, so probably after re-bbot server rewrited my old named.conf with new named.conf where was not defined allow-recursion localhost or no ... Some sh*t happens.

So now i can see all those ips used for DNS Amplification DDos Attack, i think and probably will start reporting those ips so people can get up and start block port 53 or so ...
 
Status
Not open for further replies.
Back
Top