[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Problem with named

Mike Fritsch wrote:

> For some reason we have been having problems with named on of our RaQ3s , it
> has about 4 sites and not much traffic. Here is a copy while in top:
> 
> 50 processes: 39 sleeping, 3 running, 8 zombie, 0 stopped
> CPU states: 96.8% user,  3.1% system,  0.0% nice,  0.0% idle
> Mem:  257964K av,  61128K used, 196836K free, 125604K shrd,   6484K buff
> Swap: 131536K av,      0K used, 131536K free                 19292K cached
> 
>   PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
>   384 root      16   0  9232 9232   784 R       0 98.6  3.5 229:06 named
>  4683 admin      2   0  1000 1000   820 R       0  1.1  0.3   0:01 top

...<balance snipped>...

Craig had some good pointers, Mike.  Did you find anything in the logs? 
Another thing to look at besides zone transfers is that somehow your IP#
may have ended up getting posted somewhere as a nameserver for all
dialup customers to use <frown>.

(If so, you can set your copy of Bind to NOT allow recursion, but that's
a separate topic.)

Most probably though, it's a DOS attack; I'd check the logs and unless I
see a good reason for the activity, treat it as one.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA  92517
voice: (909) 787-8589  *  fax: (909) 782-0205