On Fri, Jun 04, 1999 at 09:45:40AM +1200, dylan(a)ihug.co.nz wrote:
I didn't do that myself, but one of the programming staff has, I am not sure what his conclusions were, I am CCing this to him...
The other thing you might be able to do, when the problems are occuring is: tcpdump -s 2000 '(port 53) or icmp' and then send me some.file Your apparently running 8.1.2-T3B which fixes the bug smashing attack which I normally see fairly often... plenty of other people are running this version.
The load on the box never goes above about 0.3 even when named is pooping itself.
SYN Cookies won't help the load, it will help determine if you are being SYN flooded though. Actually, you could also do this tcpdump -s 2000 -w some.file 'tcp[13] & 3 != 0' and send me some.file -- this will show SYN and FIN packets. If there are zillions of SYN packets and very few FIN packets, it's probably a SYN flood (you'll also see lots of RST packets out-bound).
Could be, but I somehow doubt it, I am sure however there is atleast one person on staff who would love to get (Free|Open|Net)BSD on the servers...
If its a stack smashing attack, it might help. Mostly because the stack offsets are OS dependent and since only 9 people in the whole world (including Joe) run FreeBSD, probably nobody ever worked out an attack for it :)
Happened with 2.0.36 and 2.2.9 (patched). Doesn't seem to have anything to do with kernel. The variable we have issolated seem to be IP address and the fact the server is master.
Anyhow, I will forward the responses to people with more technical smarts than me and see what they say...
If you have the time and inclination, you might want to check out Dents, who's design is different and hopefully isn't vulnerable to poisoning attacks amongst other things... -cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog