DOS Attacks on BIND 8.2.2 p5
Jim Reid
jim at rfc1035.com
Fri Jan 28 17:29:49 UTC 2000
>>>>> "Eric" == webmaster <webmaster at lawtonok.net> writes:
Eric> I was wondering of there were any known DOS attacks
Eric> for BIND 8.2.2 p5. I am running BIND as primary and
Eric> secondary on 2 different machines running WIN NT 4 with sp
Eric> 5. For the past day or so we have had problems with both
Eric> machines' BIND service just stop responding. Usually
Eric> starting and stopping the service will fix the problem for a
Eric> few minutes, but then they stall again. I have noticed that
Eric> when ever I shut down the router, the services run fine, but
Eric> when it is brought back the BIND service on both machines
Eric> seem to stall again. Any help would be appreciated!
I presume DOS means Denial of Service, not some sort of operating
system you find on some PCs. Yes, there are denial of service attacks
that work on most name servers: just flood 'em with a few thousand
queries every second.
Take a look at:
http://www.cert.org/current/current_activity.html#bind
for pointers to a couple of relevant alerts and some general info
about denial of service attacks.
It would be a good idea to turn on query logging to find out what
traffic your servers are handling. So would using tcpdump or a packet
sniffer to see what stuff is going through your router to/from the
name servers. It might be that you've not got a malicious DoS
attack. Perhaps you've just got some idiot or misconfigured resolvers
that saturate the name servers.
More information about the bind-users
mailing list