Re: bind (named) compromised?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi James, 

you seem to be running an open DNS resolver, is that correct? And if so, do you do it intentionally?

I just received an US-CERT alert today that warns about ongoing amplification attacks, among others against DNS, but also against some other UDP based services.

<https://www.us-cert.gov/ncas/alerts/TA14-017A>

From the symptoms you describe I'd say that your DNS server is being used in such an attack. 

> I also see a chroot directory, but if I grep for named it doesn't appear 
> to be using the chroot(?):
> # ps aux | grep named
> named     3497  0.4  0.7 170088 15836 ?        Ssl  23:02   0:02 
> /usr/sbin/named -u named
> root      3763  0.0  0.0  61192   764 pts/1    S+   23:13   0:00 grep named

Do you have the bind-chroot package installed?

Best regards, 

  Peter.


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux