The Planet Forums > DNS attacks and preventing them.

Full Version: DNS attacks and preventing them.

The Planet Forums > System Administration > DNS Hosting

Travis S

Jul 14 2004, 11:10 AM

Howdy all,

I just had a server attacked and successfully taken offline via a DNS attack. In the space of 10 seconds, I had just over 100 error causing connections to my DNS server:

QUOTE (/var/log/messages)

Jul 14 10:25:54 mercury named[12766]: client 127.0.0.1#53804: no more recursive clients: quota reached
Jul 14 10:25:54 mercury named[12766]: client 127.0.0.1#53805: no more recursive clients: quota reached
... snip ...
Jul 14 10:26:05 mercury named[12766]: client 127.0.0.1#53917: no more recursive clients: quota reached
Jul 14 10:26:05 mercury named[12766]: client 127.0.0.1#53918: no more recursive clients: quota reached

What's throwing me for a loop is the client being local. There's only one account with SSH access and by what the log is telling me, no one was logged in. Until these error messages started popping up the most recent copy from the logs was a reserve lookup from Brazil:

QUOTE

Jul 14 09:30:03 mercury named[12766]: lame server resolving '91.30.231.200.in-addr.arpa' (in '30.231.200.in-addr.arpa'?): 200.255.253.241#53

I'm at a loss. Any thoughts? I'm running cPanel, possibly a vunerability there?

Travis S

Jul 14 2004, 11:34 AM

It looks like it was a cpanel vunerability. In May, I upgraded to the latest version of WHM which doesn't start at the News page. My mistake was not checking the news page more often. It looks like it was a problem with cPanel's suexec/mod_php handlers. I haven't looked up the specifics of it, but it wouldn't suprise me.

I'm in the process of upgrading, and would highly recommend the same to anyone else.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.