[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] [Raq4] named keeps using my CPU at max

Subject: Re: [cobalt-security] [Raq4] named keeps using my CPU at max
From: Eric Frisch <ericf@xxxxxxxxxxx>
Date: 21 Jun 2003 11:13:00 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Fri, 2003-06-20 at 17:13, Nuno Figueiredo wrote:
> Hello
> i sent an e-mail previously asking how to find what process was eating up
> all the processor... ppl told me to use top.. but top is only realiable as a
> short time tool... because i can't be on 24h.... so someone sent me a script
> that worked fine.. and i figured out what is maxing my cpu... it's named
> ...does anyone knows how to make it lower ?... or know any solution except
> stop using it ?

Someone or something is likely using your host as a resolver in an
unfriendly way.  It could be an out of the box Win2K machine, they have
brain dead (read extremely stupid) default configuration and can beat
the heck out of your name server.  Another possibility is some system
cracker is using you to do a reverse lookup of every IP on the Internet
or something.  Also, any sort of host that has you set up as a resolver
and then in turn has inbound DNS traffic (UDP 53) blocked can cause
problems.  I have encountered several cases of this sort of abuse, I
either resolved the issue with the remote end if they are friendly or
block them with a firewall.

There are basically two solutions I know of, one simple, one more
complex but better:

tcpdump -p -n -nn -t -s 128 "dst port 53 and dst host 10.0.0.1" >>
/tmp/dump.out

Substitute the 10.0.0.1 for the host IP of your machine, this will
capture all DNS traffic to a file which you can parse to see who is
making all the queries and what they are looking up.

My preferred solution is to run Big Brother everywhere and monitor the
heck out of everything (www.bb4.com).  I wrote and contributed an
external plug-in module for Big Brother called bb-dns-load
(www.deadcat.net) that monitors DNS query load, if load exceeds a
configurable threshold (150/sec right now) I will be paged so I can
investigate.  The web output displays the top five users and top five
queries and checks to see if there is a relationship between the top
user and top query.  It is not unusual for a broken configuration to
send well in excess of a thousand identical queries a second.  That is
enough traffic to seriously stress your box.  One note of caution, if
you drop this traffic on a firewall, be careful how you log it (maybe
just count), I almost created a denial of service on myself that way.

Hope this helps . . .

Eric

> 
> Nuno Figueiredo
> MagicNet
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- [cobalt-security] [Raq4] named keeps using my CPU at max
  - From: Nuno Figueiredo

Prev by Date: [cobalt-security] [Raq4] named keeps using my CPU at max
Next by Date: Re: [cobalt-security] [Raq4] named keeps using my CPU at max
Previous by thread: [cobalt-security] [Raq4] named keeps using my CPU at max
Next by thread: Re: [cobalt-security] [Raq4] named keeps using my CPU at max

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index