Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th December 2005, 15:36
ZebraCobra ZebraCobra is offline
Junior Member
 
Join Date: Dec 2005
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation Isp Says Dos Attack Being Conducted

After doing the perfect fc4 setup and inlcuding the BIND 9 server, I received a angry letter from my ISP that a computer at my IP address is conducting a DOS attack on another client, recusive dns queries on excess of 6GB???? Anyhow, this is the second warning and if it continues I will be suspended. They also give a link to a secure BIND script that has no instructions on how to apply it.
Does anyone know whats going on and how I am able to stop it?

Any help would be nice.

Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 19th December 2005, 15:48
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,421
Thanks: 812
Thanked 5,205 Times in 4,081 Posts
Default

Is the IP of the other client in your /etc/resolv.conf file?

Have you checked your server with a rootkit scanner like rkhunter from http://www.rootkit.nl?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 20th December 2005, 15:25
ZebraCobra ZebraCobra is offline
Junior Member
 
Join Date: Dec 2005
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Question

Thanks for the fast response. On the /etc/resolv.conf file I only have the DNS server list for my ISP. Also did a rootkit scan as you recommended and everything passed OK. I have BIND version 9.3.1, under chroot /var/named/chroot which I believe is the secure version.

Here is my named.conf file which was created by Webmin


//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//


//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};


include "/etc/rndc.key";
zone "ABC.DEF.GHI.in-addr.arpa" {
type master;
file "/var/named/ABC.DEF.GHI.rev";
};
zone "virtualdomain1.com" {
type master;
file "/var/named/virtualdomain1.hosts";
};


I am guessing my problem is named.conf, I have seen other examples of it and they have different Views and ACL's??

Part of the ISP letter:

Reported Incident:

All time stamps are based on time zone: -600 Recursive DNS lookup DOS attack:

Please, stop allowing open recursive lookups from external sources.

We've all seen a few related posts recently on related DNS amplification attacks here and it's getting progressively worse. The latest victim has been undergoing DOS attacks on a daily basis well in excess of 6GB/s for several weeks and it is _really_ hurting their business. We'd like to solicit as much help as possible from everyone in order to prevent the next victim from being one of us.

To help customers in cleaning up their DNS configurations, a secure BIND configuration template can be found at: http://www.cymru.com/Documents/secur...-template.html.


Any ideas???
Reply With Quote
  #4  
Old 20th December 2005, 16:18
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
 
Default

If you don't need Bind on your server, I'd simply shut it down and close port 53 with a firewall.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 05:51.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.